[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity

To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Sat, 13 Dec 2003 00:08:31 +1300

jbruce@unitedscience.com wrote:

> Using internet explorer, you can also put http://whateverhere@google.com
> and that will take you to google. It only matters what you put after the
> @ sign. I noticed that one day while putting in my email address in for
> hotmail. 

And not _just_ in IE.

What you have described is, in fact, more or less the "expected 
behaviour" of a web browser given the input you described and RFC 2396. 
Surely to comment in such a thread you have read the RFC that defines 
the format of URIs:

   ftp://ftp.rfc-editor.org/in-notes/rfc2396.txt

Search for "userinfo".

...

I'll repeat my earlier suggestion that I'm sure it would be greatly 
appreciated all round if only moderately clueful responses were posted 
in this thread...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
  - From: "Bill Royds" <full-disclosure@royds.net>

References:
- RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
  - From: jbruce@unitedscience.com

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: [Full-Disclosure] MDKSA-2003:115 - Updated net-snmp packages fix vulnerability
Previous by thread: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Next by thread: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Index(es):
- Date
- Thread