Bugtraq mailing list archives
Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable
From: Dirk Mueller <mueller () kde org>
Date: Sat, 7 Sep 2002 01:07:39 +0200
On Fre, 06 Sep 2002, Piotr Paw?ow wrote:
Test page for Konqueror is at: http://pp.siedziba.pl/2f/
This is actually not related to the % encoding problem in IE, but a general regression that was introduced in KDE 3.0.3 release. Below is the fix which has been tested and committed to CVS already. Note that this is a fairly minor problem, as the evilhacker can always create a subdomain like yahoo.evilhacker.net and proxy the yahoo pages there, and all browsers will give access to the frames in this case. Note that in any case the "wrong" url is still visible in the location bar so it should be obvious that although it looks like yahoo, it isn't yahoo at all. -- Dirk
Attachment:
crosside-3.0.diff
Description:
Attachment:
_bin
Description:
Current thread:
- MSIEv6 % encoding causes a problem again Liu Die Yu (Sep 03)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
- MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Piotr Pawłow (Sep 06)
- Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Dirk Mueller (Sep 06)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)