Re: Internet Explorer URL parsing vulnerability
Using the POC at http://www.zapthedingbat.com/security/ex01/vun1.htm
The following do NOT have the vulnerability.
MacOSX 10.2.28 Mozilla Firebird 0.6 NOT vulnerability
MacOSX 10.2.28 Mozilla Firebird 0.7.1 NOT vulnerability
MacOSX 10.2.28 IE 5.2.2 (5010.1) NOT vulnerability
MacOSX 10.2.28 IE 5.2.3 (5815.1) NOT vulnerability
With both Firebird and IE the following is the same result. The
line below is a cut/paste.
http://www.microsoft.com%01@xxxxxxxxxxxxxxxxx/security/ex01/vun2.htm
Someone have a different test site?
Bugtraq seems to be holding my posts lately so if you don't see this
please relay it to the list.
On Wednesday, December 10, 2003, at 02:26 PM, Andreas Plesner Jacobsen
wrote:
On Wed, Dec 10, 2003 at 12:13:57AM +0000, Pedro Castro wrote:
From: <bugtraq@xxxxxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Internet Explorer URL parsing vulnerability
Internet Explorer URL parsing vulnerability
Vendor Notified 09 December, 2003
# Vulnerability ##########
There is a flaw in the way that Internet Explorer displays URLs in
the address bar.
By opening a specially crafted URL an attacker can open a page that
appears to be from a different domain from the current location.
This exploit also applies to the Macintosh version of Explorer
v5.2.3(5815.1)
It does also apply to Mozilla Firebird 0.7.
Not the Linux edition, perhaps only on Windows?
--
Andreas Plesner Jacobsen | Owe no man any thing...
| -- Romans 13:8
Charles Richmond Implemented Integrated Systems Corporation
cmr@xxxxxxxx cmr@xxxxxxx YIM:cmriisc http://www.iisc.com
O/S, I18N, Systems Development, Process and Integration Providers
131 Bishop's Forest Drive , Waltham , Ma. USA 02452
(781) 647 2246 FAX (781) 647 3665 Cellular (781) 389 9777