Bugtraq mailing list archives

Re: MSIEv6 % encoding causes a problem again

From: Dave Ahmad <da () securityfocus com>
Date: Wed, 4 Sep 2002 10:32:00 -0600 (MDT)


I am surprised that nobody has yet commented on this rather serious issue.
It appears that MSIE fails to properly extract the correct domain from the
URI string in the parent window when evaluating it against the child
domain to determine whether access is to be permitted.  This seems to be
because of the inclusion of "%2f" (HTTP encoded slash character) in a
URI-specified HTTP username.  I am guessing that the URI parser within
Explorer decides it has the complete domain once it sees a slash
without taking into consideration that it could be within a username/password.

Consequently, the HTTP username "www.yahoo.com" matches the domain of the
child window ( window.open("www.yahoo.com") ) and access is granted.  This
violates the "same-origin policy" and has numerous security implications.

In effect, this is similar to other issues found in explorer recently
(most memorably, that discovered by thePull - http://online.securityfocus.com/bid/3721).

Mitigating factor:

The attacker must lure the victim to a page where the URI in the location
bar includes the target website as the username.  Not that the victim
has much time to do anything about it, this may look suspicious
(though there could be a way to set the location property, or whichever
is used, to the target website while keeping the value visible in the
location bar "normal").

David Ahmad
Symantec
http://www.symantec.com/

On 3 Sep 2002, Liu Die Yu wrote:



it's about cross-site scripting at MSIEv6 client side using % encoding,
but not the same as the one by PeaceFire.org which doesn't work on my PC.

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}

[demo]
at
http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
or
clik.to/liudieyu ==> 2FforMSIE-MyPage section.

[exp]
%?? in URL is decoded when IE caculates the domain, but not decoded while
downloading a page.
so
[CODE.URL]http://www.yahoo.com%2F () clik to/liudieyu
(     2F=hex$(asc('/'))       )
leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it
www.yahoo.com for IE

Very simple, that's all.

[contact]
liudieyuinchina () yahoo com cn

Current thread:

MSIEv6 % encoding causes a problem again Liu Die Yu (Sep 03)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
  - Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
    - Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Piotr Pawłow (Sep 06)
  - Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Dirk Mueller (Sep 06)