RE: (Fwd) MSIEv6 % encoding causes a problem again

[Thor Larholm <Thor () jubii dk>]

> From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
> Hi Thor,
> Doesn't the following have similar implications to the issue in your 
> TL#002 advisory??

Hi Nick,

close but no cigar - yet. In its current state, this % encoding issue cannot
escape protocol boundaries, which means that it cannot go from the Internet
Zone to the My Computer Zone and execute commands or read local files.

It can, however, do arbitrary cross domain scripting on any site in its
current protocol, which means that you can steal cookies and read/change
arbitrary content from foreign sites. If you e.g. have an HTTPS site
yourself, you can read/change the content for any other HTTPS site dispalyed
to the user - change the login form actions, read the users bank accounts,
etc.

The issue is not so much with escaped versions of / or \, but with escaping
of characters in itself. When actually retrieving the content, IE looks at
the escaped version of your URI and fetches your malicious code from
brinkster.com (escaping the yahoo.com part makes it part of Basic
Authentication). When it later needs to check cross domain security settings
and see whether the 2 windows may communicate, it looks at the unescaped
version of your URI - which by now is a reference to yahoo.com instead of
brinkster.com, with the Basich Authentication being part of the filename.


Regards
Thor