Full Disclosure mailing list archives

IE 6 XSS

From: Roland Postle" <mail () blazde co uk (Roland Postle)
Date: Thu, 05 Sep 2002 02:36:03 +0100

Ahhh - time to bust out the old Unicode tekniqz...

http://www.ebay.com%25%32%46%40www%2emsn%2ecom/
http://www.ebay.com%252f%40www%2emsn%2ecom/
http://www.ebay.com%25%32%46%40%57%57%57%2e%4d%53%4e%2e%43%4f%4d/


Myth. It's not unicode, just URL encoded ISO-Latin. There is currently
no way to put unicode in URLs, don't let that similar looking 'extended
unicode directory traversal' thingy in IIS last year confuse you. That
was just IIS misinterpretting the request. Probably Microsoft trying to
'extend' the standard to include unicode.

And.... I don't see how it's XSS either.

And.... it's not tekniqz, it's techniques :D 

- Blazde

Current thread:

IE 6 XSS fooldisclosure () hushmail com (Sep 04)
- IE 6 XSS <mail () blazde co uk (Roland Postle) (Sep 04)