[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
- From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Date: Wed, 10 Dec 2003 11:57:04 +1300
Michal Zalewski <lcamtuf@ghettot.org> wrote:
> > http://www.microsoft.com%01@www.linux.org
> > wont work until you
> > unescape('http://www.microsoft.com%01@www.linux.org');
>
> Out of sheer curiosity (no MSIE at hand)... would it work with:
>
> <a href="http://A\x01@B";>
>
> ...meaning, put literal ASCII character #001 in a href tag, as opposed to
> using JavaScript or alikes?
I just posted a reply to the OP's message on Bugtraq about my tests of
precisely this (half expect it won't appear there, but...).
Unfortunately, I forgot to keep a copy of that message so can't just
repost those comments here.
In short, it appears you can use a 0x01 character instead of the "%01
and unescape" combo the OP used.
Further, I looked at using this in an http-equiv=refresh "redirect"
situation. In a straight use of that approach, it failed (using either
the %01 or 0x01 character method), but worked if you used a script to
write the http-equiv=refresh statement into the document. I don't have
a suitable server set-up handy at the moment to test whether it works
in a server-side redirect.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html