Full Disclosure mailing list archives
Re: RE: FWD: Internet Explorer URL parsing vulnerability
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 10 Dec 2003 11:28:18 +1300
"Clint Bodungen" <clint () secureconsulting com> wrote:
Well, using a straight link like the following works in an HTML email... but not on a web page: <a href="http://www.microsoft.com%01 () www linux org">Microsoft</a> However, using this approach still allows the user to see the absolute URL path in the task bar (with the %01 ommitted).
Not "omitted" but replaced with a (narrow) space. The appearance of the absolute URL in the task bar is not a problem though. Depending on how the URL is contained in the page this can be "fixed" with things such as "onmouseover" (one of the reasons the combination of such a "functional" DOM and scripting is pure evil...) and we have seen spammers do this already. Of course, as the main concern here is only to fool IE users (almost a foregone conclusions because they _are_ IE users...) the old standard "obfuscate the URL in IE's task bar" trick of sticking a few dozen spaces after the spoofed domain and before the "@" (or before the "%01@" in this case) works just fine.
On the other hand... using the button and "unescape()" approach such as the original example from this thread works from a web page but not from an HTML email.
Because you use a recent enough version of OE or Outlook which defaults to placing Email in the Restricted Sites zone which defaults to not allowing scripting... Other MUAs dependent on IE's HTML rendering ActiveX controls may not be so forgiving and there are other ways to trick this out (see my forthcoming post about refreshes and the possibility of it working from server-side redirects). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: FWD: Internet Explorer URL parsing vulnerability S G Masood (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)
- Re: Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability S . f . Stover (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Jeremiah Cornelius (Dec 09)
- <Possible follow-ups>
- FWD: Internet Explorer URL parsing vulnerability S G Masood (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability S G Masood (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Nick FitzGerald (Dec 09)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Chris S (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Michal Zalewski (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Nick FitzGerald (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)
- RE: Internet Explorer URL parsing vulnerability http-equiv () excite com (Dec 09)
- RE: Internet Explorer URL parsing vulnerability http-equiv () excite com (Dec 09)
- RE: FWD: Internet Explorer URL parsing vulnerability Julian HO Thean Swee (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability VeNoMouS (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability S G Masood (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability VeNoMouS (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability VeNoMouS (Dec 09)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 09)