Re: Internet Explorer URL parsing vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Internet Explorer URL parsing vulnerability
From: "Eric \"MightyE\" Stevens" <trash@xxxxxxxxxxx>
Date: Tue, 09 Dec 2003 14:34:34 -0500
Cc: soulshok@xxxxxxxxx
In-reply-to: <3FD62323.8020606@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20031209171957.7977.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <3FD62323.8020606@xxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

IE 6.0.2800.1106.xpsp2.030422-1633 with all the latest updates (SP1;Q822925; Q330994; Q828750; Q824145) is vulnerable. Works like a charm.


-Eric "MightyE" Stevens
http://lotgd.net

soulshok@xxxxxxxxx wrote:

In-Reply-To: <20031209144416.31613.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

# Exploit ##########
By opening a window using the http://user@domain nomenclature an attacker can hide the 
real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.

...

# Tested ##########
Internet Explorer
Version 6.0.2800.1106C0
Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145

Internet Explorer 5.00.3700.1000 (SP4, Q824145) doesn't seem to be vunlerable 
to this.

References:
- Re: Internet Explorer URL parsing vulnerability
  - From: soulshok

Prev by Date: Dell BIOS DoS
Next by Date: Re: Hot fix for do_brk bug
Previous by thread: Re: Internet Explorer URL parsing vulnerability
Next by thread: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread