[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity

To: "'Mortis'" <m0rtis@adelphia.net>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
From: "Bill Royds" <full-disclosure@royds.net>
Date: Thu, 11 Dec 2003 20:27:20 -0500

Even better check out (from RFC1738)
3.3. HTTP

   The HTTP URL scheme is used to designate Internet resources
   accessible using HTTP (HyperText Transfer Protocol).

   The HTTP protocol is specified elsewhere. This specification only
   describes the syntax of HTTP URLs.

   An HTTP URL takes the form:

      http://<host>:<port>/<path>?<searchpart>

   where <host> and <port> are as described in Section 3.1. If :<port>
   is omitted, the port defaults to 80.  No user name or password is
   allowed.  <path> is an HTTP selector, and <searchpart> is a query
   string. The <path> is optional, as is the <searchpart> and its
   preceding "?". If neither <path> nor <searchpart> is present, the "/"
   may also be omitted.

   Within the <path> and <searchpart> components, "/", ";", "?" are
   reserved.  The "/" character may be used within HTTP to designate a
   hierarchical structure.

Which says that a browser should not allow the username:password part for a
HTTP protocol base URL

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Mortis
Sent: December 11, 2003 6:46 PM
To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi
lity

> Using internet explorer, you can also put 
> http://whateverhere@google.com and
> that will take you to google. It only matters 
> what you put after the @ sign.
> I noticed that one day while putting in my email 
> address in for hotmail. 

J,

Check out 3.1 in this doc.  

http://www.faqs.org/rfcs/rfc1738.html

I haveto clean the beeeeer off my keyyyyboard.

:)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
  - From: "Mortis" <m0rtis@adelphia.net>

Prev by Date: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Next by Date: Re: [Full-Disclosure] sharing ssh session
Previous by thread: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Next by thread: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Index(es):
- Date
- Thread