Bugtraq mailing list archives

RE: Internet Explorer URL parsing vulnerability

From: Lance James <lance.james () bakbone com>
Date: Wed, 10 Dec 2003 11:43:56 -0800

This also adds another effect, Since it's dropping to the right most url and
it's a parsing issue with the display url, SSL is additionally compromised
for this problem.

Scenario: Fake bank setup in .ru somewhere, attacker has a valid cert that
is signed by a authoritative Trent, and of attacker goes phishing. They
click to go to www.bank.com (looks legit of course, especially now), and it
has their usual SSL login prompt without any warnings. This is not an actual
SSL technical problem, but it adds to the trickery.

-----Original Message-----
From: Pedro Castro [mailto:noupy () mail telepac pt] 
Sent: Tuesday, December 09, 2003 4:14 PM
To: bugtraq () securityfocus com
Subject: Re: Internet Explorer URL parsing vulnerability

It does also apply to Mozilla Firebird 0.7.



John W. Noerenberg II wrote:

This exploit also applies to the Macintosh version of Explorer 
v5.2.3(5815.1)

From: <bugtraq () zapthedingbat com>
To: bugtraq () securityfocus com
Subject: Internet Explorer URL parsing vulnerability

Internet Explorer URL parsing vulnerability
Vendor Notified 09 December, 2003

# Vulnerability ##########
There is a flaw in the way that Internet Explorer displays URLs in 
the address bar.

By opening a specially crafted URL an attacker can open a page that 
appears to be from a different domain from the current location.

# Exploit ##########
By opening a window using the http://user@domain nomenclature an 
attacker can hide the real location of the page by including a 0x01 
character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page 
appear to be at a different domain.

# POC ##########
http://www.zapthedingbat.com/security/ex01/vun1.htm

# Tested ##########
Internet Explorer
Version 6.0.2800.1106C0
Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145

# Credit ##########
Zap The Dingbat
http://www.zapthedingbat.com/

Current thread:

Re: Internet Explorer URL parsing vulnerability, (continued)
- Re: Internet Explorer URL parsing vulnerability soulshok (Dec 09)
  - Message not available
    - Re: Internet Explorer URL parsing vulnerability Eric "MightyE" Stevens (Dec 09)
- Internet Explorer URL parsing vulnerability John W. Noerenberg II (Dec 09)
  - Re: Internet Explorer URL parsing vulnerability Pedro Castro (Dec 10)
    - Re: Internet Explorer URL parsing vulnerability William Stockall (Dec 10)
    - Re: Internet Explorer URL parsing vulnerability Andreas Plesner Jacobsen (Dec 10)
    - Re: Internet Explorer URL parsing vulnerability Charles Richmond (Dec 11)
    - Re: Internet Explorer URL parsing vulnerability Tiago Pierezan Camargo (Dec 10)
- RE: Internet Explorer URL parsing vulnerability http-equiv () excite com (Dec 10)
- RE: Internet Explorer URL parsing vulnerability http-equiv () excite com (Dec 10)
- RE: Internet Explorer URL parsing vulnerability Lance James (Dec 10)
- RE: Internet Explorer URL parsing vulnerability Mimmus (Dec 11)