Bugtraq mailing list archives
RE: (Fwd) MSIEv6 % encoding causes a problem again
From: Thor Larholm <Thor () jubii dk>
Date: Thu, 5 Sep 2002 11:18:42 +0200
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Hi Thor, Doesn't the following have similar implications to the issue in your TL#002 advisory??
Hi Nick, close but no cigar - yet. In its current state, this % encoding issue cannot escape protocol boundaries, which means that it cannot go from the Internet Zone to the My Computer Zone and execute commands or read local files. It can, however, do arbitrary cross domain scripting on any site in its current protocol, which means that you can steal cookies and read/change arbitrary content from foreign sites. If you e.g. have an HTTPS site yourself, you can read/change the content for any other HTTPS site dispalyed to the user - change the login form actions, read the users bank accounts, etc. The issue is not so much with escaped versions of / or \, but with escaping of characters in itself. When actually retrieving the content, IE looks at the escaped version of your URI and fetches your malicious code from brinkster.com (escaping the yahoo.com part makes it part of Basic Authentication). When it later needs to check cross domain security settings and see whether the 2 windows may communicate, it looks at the unescaped version of your URI - which by now is a reference to yahoo.com instead of brinkster.com, with the Basich Authentication being part of the filename. Regards Thor
Current thread:
- RE: (Fwd) MSIEv6 % encoding causes a problem again Thor Larholm (Sep 05)