Full Disclosure mailing list archives
RE: Re: Internet Explorer URL parsing vulnerability
From: Jarkko Turkulainen <jt () klake org>
Date: Thu, 11 Dec 2003 18:36:03 +0200 (EET)
https://paypal.com Although I did notice that the <button> seems to be a requirement for this vulnerability to work, as using a plain hyperlink <a href> fails for me.
I managed it to get working by using raw 0x01 character in url: <a href='http://www.microsoft.com 0x01 @other_site> Of course, you must use hex editor to insert the 0x01. Some other interesting effects can be achieved with: <a href='http://www.microsoft.com 0x09 0x09 0x09 0x09 0x09 0x09 0x01 0x01 .. many more 0x01's .. 0x01 @other_site Regards, -- Jarkko Turkulainen <jt () klake org> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Internet Explorer URL parsing vulnerability, (continued)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Dark Avenger (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 12)
- Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)
- RE: Re: Internet Explorer URL parsing vulnerability Jarkko Turkulainen (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Erik van Straten (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 12)