Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: FWD: Internet Explorer URL parsing vulnerability

From: "Clint Bodungen" <clint () secureconsulting com>
Date: Tue, 9 Dec 2003 15:30:00 -0600
Well, using a straight link like the following works in an HTML email... but
not on a web page:

<a href="http://www.microsoft.com%01 () www linux org">Microsoft</a>

However, using this approach still allows the user to see the absolute URL
path in the task bar (with the %01 ommitted).

On the other hand... using the button and "unescape()" approach such as the
original example from this thread works from a web page but not from an HTML
email.


----- Original Message ----- 
From: "S G Masood" <sgmasood () yahoo com>
To: "Exibar" <exibar () thelair com>; <full-disclosure () lists netsys com>
Sent: Tuesday, December 09, 2003 1:00 PM
Subject: Re: [Full-disclosure] RE: FWD: Internet Explorer URL parsing
vulnerability




--- Exibar <exibar () thelair com> wrote:

my favorite will be this one that I'm sure will
circulate:

http://www.microsoft.com%01 () www linux org

  :-)


http://www.microsoft.com%01 () www linux org
 wont work until you
unescape('http://www.microsoft.com%01 () www linux org');



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: