[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability

"Clint Bodungen" <clint@secureconsulting.com> wrote:

> Well, using a straight link like the following works in an HTML email... but
> not on a web page:
> 
> <a href="http://www.microsoft.com%01@www.linux.org";>Microsoft</a>
> 
> However, using this approach still allows the user to see the absolute URL
> path in the task bar (with the %01 ommitted).

Not "omitted" but replaced with a (narrow) space.

The appearance of the absolute URL in the task bar is not a problem 
though.  Depending on how the URL is contained in the page this can be 
"fixed" with things such as "onmouseover" (one of the reasons the 
combination of such a "functional" DOM and scripting is pure evil...) 
and we have seen spammers do this already.  Of course, as the main 
concern here is only to fool IE users (almost a foregone conclusions 
because they _are_ IE users...) the old standard "obfuscate the URL in 
IE's task bar" trick of sticking a few dozen spaces after the spoofed 
domain and before the "@" (or before the "%01@" in this case) works 
just fine.

> On the other hand... using the button and "unescape()" approach such as the
> original example from this thread works from a web page but not from an HTML
> email.

Because you use a recent enough version of OE or Outlook which defaults 
to placing Email in the Restricted Sites zone which defaults to not 
allowing scripting...  Other MUAs dependent on IE's HTML rendering 
ActiveX controls may not be so forgiving and there are other ways to 
trick this out (see my forthcoming post about refreshes and the 
possibility of it working from server-side redirects).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html