The real problem is the http: URL syntax. Good design does not allow secondary attributes (account and password) to precede primary attributes (hostname) and the convention of URI query arguments allowing anything after the ? Confuses it a bit more. Consider these URL's http://[EMAIL PROTECTED] http://[EMAIL PROTECTED]
The RFC says that the first is a username www.microsoft.com followed by a host www.slashdot.org The second is a hostname www.microsoft.com followed by query parameter @www.slashdot.org That is extremely bad language design because similar syntax has entirely different (and opposite) meaning. The whole scheme needs to be deprecated and a better one invented. What this whole thread is about is that browsers and people both misinterpret it. Would it not be better to fix the syntax. At least allow browsers to ban this username:[EMAIL PROTECTED] syntax and allow them to prompt for username:password and use a different HTTP command other than GET to send it for authentication At present most usage of http authentication is after a 404 error which then sends information in the headers so it is not actually used much even in cases where authentication is needed. Perhaps a separate authenticated method AGET that would allow it instead of being allowed on all HTTP methods would be a start. Then any site getting an AGET instead of a GET would know that authentication was coming. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: December 11, 2003 4:29 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity It was written (by whom doesn't really matter): > Check that. With Moz 1.5: > > Opening in a new *TAB* takes one to MS. Clicking the link takes one to /. > with "http://[EMAIL PROTECTED]/" in the address bar. > > That's odd. Not at all. Can you not read HTML source? The page has an href anchor tag (to MS) and a script (with a %01- obfuscated URL to /. that "implicates" MS) on the onclick event for the anchor tag. Thus, clicking the link _IF YOU ARE SILLY ENOUGH TO HAVE SCRIPTING ENABLED_ activates the script that implements the "trick" URL. (Almost) anything else you do in Moz (or a Moz-derived browser) to access that URL will result in the script not being activated and the plain URL in the href argument of the anchor tag being "seen" and/or acted on instead (that is why MS' URL is seen in the status bar ("task bar"?) when you float the mouse over the URL). You should now be able to work the rest out. ... In general, there have been a lot of really badly misinformed comments in this thread. Things that suggest the poster does not understand the userinfo part of the URI RFC; things that suggest the poster has no idea that the "left hand URL" is not a URL at all; and more. Please folk, if you don't know how something works either _ask_ or sit back and read (as the odds are someone will explain it all in plainer language or the penny will otherwise drop within a few more posts anyway). If you are not absolutely sure that you understand how it works, don't post "it works in mozilla" (when it clearly does not) or any of the other myriad (near) clueless responses we've seen. Clueless posts add substantially to the nose and can greatly increase the workload of folk who are now worrying about what, if anything, they can do to reduce their exposure to this. Cheers... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
