Full Disclosure mailing list archives
RE: Re: Internet Explorer URL parsing vulnerabi lity
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 13 Dec 2003 00:08:31 +1300
jbruce () unitedscience com wrote:
Using internet explorer, you can also put http://whateverhere () google com and that will take you to google. It only matters what you put after the @ sign. I noticed that one day while putting in my email address in for hotmail.
And not _just_ in IE. What you have described is, in fact, more or less the "expected behaviour" of a web browser given the input you described and RFC 2396. Surely to comment in such a thread you have read the RFC that defines the format of URIs: ftp://ftp.rfc-editor.org/in-notes/rfc2396.txt Search for "userinfo". ... I'll repeat my earlier suggestion that I'm sure it would be greatly appreciated all round if only moderately clueful responses were posted in this thread... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Internet Explorer URL parsing vulnerabi lity jbruce (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Mortis (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Bill Royds (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Nick FitzGerald (Dec 12)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Bill Royds (Dec 12)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Mortis (Dec 11)