Full Disclosure mailing list archives

RE: Re: Internet Explorer URL parsing vulnerabi lity

From: "Bill Royds" <full-disclosure () royds net>
Date: Thu, 11 Dec 2003 20:27:20 -0500

Even better check out (from RFC1738)
3.3. HTTP

   The HTTP URL scheme is used to designate Internet resources
   accessible using HTTP (HyperText Transfer Protocol).

   The HTTP protocol is specified elsewhere. This specification only
   describes the syntax of HTTP URLs.

   An HTTP URL takes the form:

      http://<host>:<port>/<path>?<searchpart>

   where <host> and <port> are as described in Section 3.1. If :<port>
   is omitted, the port defaults to 80.  No user name or password is
   allowed.  <path> is an HTTP selector, and <searchpart> is a query
   string. The <path> is optional, as is the <searchpart> and its
   preceding "?". If neither <path> nor <searchpart> is present, the "/"
   may also be omitted.

   Within the <path> and <searchpart> components, "/", ";", "?" are
   reserved.  The "/" character may be used within HTTP to designate a
   hierarchical structure.

Which says that a browser should not allow the username:password part for a
HTTP protocol base URL

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Mortis
Sent: December 11, 2003 6:46 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Re: Internet Explorer URL parsing vulnerabi
lity

Using internet explorer, you can also put 
http://whateverhere () google com and
that will take you to google. It only matters 
what you put after the @ sign.
I noticed that one day while putting in my email 
address in for hotmail.


J,

Check out 3.1 in this doc.  

http://www.faqs.org/rfcs/rfc1738.html

I haveto clean the beeeeer off my keyyyyboard.

:)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Re: Internet Explorer URL parsing vulnerabi lity jbruce (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Mortis (Dec 11)
  - RE: Re: Internet Explorer URL parsing vulnerabi lity Bill Royds (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Nick FitzGerald (Dec 12)
  - RE: Re: Internet Explorer URL parsing vulnerabi lity Bill Royds (Dec 12)