Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerabi lity
From: Dave Sherohman <esper () sherohman org>
Date: Thu, 11 Dec 2003 14:44:37 -0600
On Thu, Dec 11, 2003 at 10:36:41AM -0800, Jim Race wrote:
Check that. With Moz 1.5: Opening in a new *TAB* takes one to MS. Clicking the link takes one to /. with "http://www.microsoft.com%01 () slashdot org/" in the address bar. That's odd.
Not all that odd. Take a look at the source for that link: <a href="http://www.microsoft.com" onclick="location.href=unescape('http://www.microsoft.com%01 () slashdot org/');return false;"> The link actually _is_ to microsoft initially, but the onclick handler changes it to microsoft%01@slashdot. If you hit it without triggering the onclick handler (say, by middle-clicking to open it in a new tab), then going to microsoft is to be expected. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Internet Explorer URL parsing vulnerabi lity David Vincent (Dec 10)
- <Possible follow-ups>
- RE: Re: Internet Explorer URL parsing vulnerabi lity David Vincent (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Frank Knobbe (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Jim Race (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Jim Race (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Heikki Toivonen (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Dave Sherohman (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Nick FitzGerald (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerabi lity Bill Royds (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity William Warren (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerabi lity Peter Moody (Dec 11)