Re: Odd MSIE html parsing

["Florian Hobelsberger / BlueScreen" <genius28 () gmx de>]

For me it worked with Internet Explorer Version 5.50.4522.1200 on Windows
2K.

But you must not enter the "^B" which is on the end. So, instead of

"http://www.ca1.waredet.net.co.fr^T^B^T^E^T|https.travel.bzah.com^B"

you must enter

"http://www.ca1.waredet.net.co.fr^t^b^t^e^t|https.travel.bzah.com", then it
should
work at least on a system comparable to mine.

You can replace the first part of the URL with any page you want.
But i was not able to replace the second part of the URL in a working way
yet.

Greetings,


-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.NGSecurity.de
www.DvLdW.de.vu

Für Fragen im Bereich Datensicherheit wenden Sie sich bitte an:
www.Hackeinsteiger-Board.de
www.Securitypoint-board.de.vu

==================================================================
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
Forwarding this E-Mail or parts of information out of it is strictly
forbidden -
legal actions may be taken.

If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.

Internet communications are not secure and BlueScreen/Florian Hobelsberger
does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.

If you have received this email in error, or if you are concerned with
the content of this email please notify the Sender by telephone
on +49 (0)162 337 98 40.
==================================================================

To encrypt classified messages, please use this PGP-Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----


mQGiBDoSjNYRBADwxmFyGCYJVVwoYx6jh69D7Kbu5vLmLGz4LqW7ukFa5YhsdQ2g
hqw7iH4FL7UXSyvnQR2O+avrZtn6JgiLr9YvEBuGR4KwmNHzNAdWt1ftPqL/4932
K20XOfzewatJf23gpzpxQ6q7qqN0XKW9zvmBpJqNNosOBbj/Q4257Dao1QCg/9lI
77kKxR9HkiFnFWstiQ/tfOUD/jLogwExYHYYhqKoLG7Pgv+K1+64LXHrwiU53udP
PyIBLMx+/nD11dT9GcgH8BKqqYNIewBtTUfe4TzNqdmyOHkGzSk/uWagopXVAWYe
lwrFjHSbL5Hgkyuxu26O5UzJeIM74X2lTpXMS2Xeas5/9OGCEZEcrgLzcpwup/Ww
L4jCA/9ScTZ7hJlLAF8SsmKtG06UpTLhbHj2JHLYpuS9okcW+tf7KIoc1BytqJyX
VwTB3dCZQHzlCBd515k/9n+G2IWmUhh4FWyIOcf9pUPvrrxg6cUMs2C9p5pan0dW
huCCXtqOo/ii8QShwJ1Z2QgclNqa7NU9zKWKLAvdEhlzCtofBLRELT1CbHVlU2Ny
ZWVuPS0gLyBGbG9yaWFuIEhvYmVsc2JlcmdlciAoMjkuMTEuMjAwMSkgPE11bmlj
aEFDQGdteC5kZT6JAFgEEBECABgFAjoSjNYICwMJCAcCAQoCGQEFGwMAAAAACgkQ
lZAUaM5lFc7p+QCgwueO8h1r+tePys2abqKrpYTJNTcAmwcgd0zQ5pS9pWf6qqIs
WlET5qgluQQNBDoSjNYQEAD5GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6
C6zkP+NGlLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHY
UMoiV0MpvpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YI
xswdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitD
YMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZC
LQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULz
Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT
UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq
01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O
9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK
ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3W
FwACAhAAyeDU/CZegfCp3VmSKfIorYKjbtvSpriZ3KMmD9Qp9GlxwxJOQWUuqtPT
WMJnBwXgYKW34jvSw5gDBByOrzHyqolaKvqjG6QXenWcAt2Z5KkIUEFBHrFxUSr4
gwCexwLW1NxGILE6j4O1ZpWj5BJQTqZZpJzJarnzv2cXof0VK8SJodEEu21VHzxP
yvU2FTmwsPU5fs+6mppkPdZgb0cqmNTVqak0xyfZzPd4lLOEZIuauOoruTE0a6XV
AEx/ns5uY/U16FNq1WNaeJIulGZZNLT5DXwpGPqxm05XRineI8U2mgw+1KVGOnXM
1YfFAIjkpwy9zjjT752m3KNLe3wiWjF+SeH9USCm9KtQZHYQn6jB1hY67rKT2m8p
G1qBdbb2sZJCJRlROCe4W/vxevRe7TGdYaNy/hvV7i4OMl/pmeRnKqTpdLLP0Nah
2Cqa7+ddKdwdVtGxzowqKtQOzLF3wnXoixHtKtK8AG2gEa74rsuUamt6alnkFxKQ
SsaufCEa6aw/ttJHSEX9HHsbsJ+nmp2RRB+K8Eawln2LZliMb9xnZa3OGMwvkJCU
ZyGurrezM8MKGID5PsvV0z/jXP4yhy+Y0szYks2xbq6yAxa86D3LH/AC++l1tV6s
iw49duIvnFrlTPzY5qF8P0ywxVbSnXHl+TrVPUsWV8Z4L0mPA4uJAEwEGBECAAwF
AjoSjNYFGwwAAAAACgkQlZAUaM5lFc537wCgrEO460bbrm220zd9Mn9Nv/IB9LcA
oNeYVeRb2JfeQJkMwu7bfaCqEuoz
=Vkyz
-----END PGP PUBLIC KEY BLOCK-----

----- Original Message -----
From: "Golden_Eternity" <bhodi_jabir () yahoo com>
To: "Matthew S. Hallacy" <poptix () techmonkeys org>;
<vuln-dev () securityfocus com>
Sent: Wednesday, January 02, 2002 7:45 PM
Subject: RE: Odd MSIE html parsing


> Wasn't able to reproduce this with patched IE6 on 2k.
>
> > -----Original Message-----
> > From: Matthew S. Hallacy [mailto:poptix () techmonkeys org]
> > Sent: Wednesday, January 02, 2002 5:36 AM
> > To: vuln-dev () securityfocus com
> > Subject: Odd MSIE html parsing
> >
> >
> > I recieved an odd spam today, the links were obfuscated as follows:
> >
> > <A
HREF="http://www.ca1.waredet.net.co.fr^T^B^T^E^T|https.travel.bzah.com^B">
> > clicking on the link in MSIE shows the following in the address bar:
> > 'http://www.ca1.waredet.net.co.fr(?????)|https.travel.bzah.com/'
> > while it's really going to https.travel.bzah.com (a stupid
> > angelfire spam site,
> > die die die)
> >
> > Comments? I'm curious as to why MSIE allows control characters in the
url
> > like this, it didn't work in Mozilla.
> >
> > - Matthew S. Hallacy
> > --