A vulnerability has been found in Internet Explorer, which displays a fake URL in the address and status bars.
I have been told that the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL. I have tested and this is incorrect. I had to put a "non printable" character before %00. Check the source of the example. An example can be found at http://www.tobes.com/urlspoof.html. There is a link called "spoofed link", if you place your mouse over the top of the link, IE will display microsoft.com. If you click the link, you will be sent to sclinux.org but address bar will display microsoft.com. Ryan and I have tested using Opera and Mozilla on a windows machine. Opera was not vulnerable but mozilla was partially. If any of you want to test using a Linux machine, please feel free to and post to the list your findings. Cheers [jeromey]
