Bugtraq mailing list archives

IE Domain Confusion Vulnerability

From: aleph1 () SECURITYFOCUS COM (Foo Bar)
Date: Thu, 11 May 2000 13:56:09 -0700


IE can be fooled into thinking a web page is in any domain by encoding
some characters in the URL and placing the domain you want to spoof
at the end of the URL. For example the URL

http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com

is in the pecefire.org domain but because "/" and "?" are replaced by
"%2f" and "%3f" IE will think the URL is in the amazon.com domain.

You can find more information at http://www.peacefire.org/security/iecookies/
Although the web page only mentions cookies it may be possible to exploit
the problem in other ways as the security setting for domains may be
different. For example the users may allow the execution of unsigned
ActiveX controls from its company domain.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Current thread:

"I don't think I really love you", (continued)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: non-exec stack Casper Dik (May 08)
  - Re: non-exec stack Gert Doering (May 09)
    - Re: non-exec stack Casper Dik (May 09)
    - Re: non-exec stack Nate Eldredge (May 10)
    - 쀼릿: Re: non-exec stac ZhaoQian (May 10)
    - Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
    - ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
    - Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
    - Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
    - IE Domain Confusion Vulnerability Foo Bar (May 11)
    - Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
    - Eudora Sensitive to Long Filenames Ron Moritz (May 18)
    - IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
    - Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
    - Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
    - New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
    - Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
    - Microsoft Office 2000 Advisory dildog (May 12)