Re: RE: FWD: Internet Explorer URL parsing vulnerability

[Nick FitzGerald <nick () virus-l demon co uk>]

Michal Zalewski <lcamtuf () ghettot org> wrote:

> > http://www.microsoft.com%01 () www linux org
> >  wont work until you
> > unescape('http://www.microsoft.com%01 () www linux org');
>
> Out of sheer curiosity (no MSIE at hand)... would it work with:
>
>   <a href="http://A\x01@B";>
>
> ...meaning, put literal ASCII character #001 in a href tag, as opposed to
> using JavaScript or alikes?

I just posted a reply to the OP's message on Bugtraq about my tests of 
precisely this (half expect it won't appear there, but...).  
Unfortunately, I forgot to keep a copy of that message so can't just 
repost those comments here.

In short, it appears you can use a 0x01 character instead of the "%01 
and unescape" combo the OP used.

Further, I looked at using this in an http-equiv=refresh "redirect" 
situation.  In a straight use of that approach, it failed (using either 
the %01 or 0x01 character method), but worked if you used a script to 
write the http-equiv=refresh statement into the document.  I don't have 
a suitable server set-up handy at the moment to test whether it works 
in a server-side redirect.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html