[vox-tech] New phishing vulnerability

Larry Ozeran vox-tech@lists.lugod.org
Tue, 09 Dec 2003 21:04:21 -0800 

I use old browsers. MSIE 5.50 and Netscape 4.77 both work OK for me.
(i.e. http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
displays on the address line for both)

- Larry

At 01:54 PM 12/9/03 -0600, you wrote:
>There was a thread[1] about 2 months ago about email scams and making URLs
>look innocent, mostly by putting the site you're trying to look like in as
>a username in your URL i.e. http://www.ebay.com@hackedsite.com/scam.html
>
>I thought today's Internet Explorer vulnerability might be of interest...
>This came across bugraq-digest today.
>
>The quick synopsis: add a 0x01 character (HTML %01) to a URL and MSIE will
>not display anything after that character in the URL bar. Their exploit
>link is
>http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm which
>shows as http://www.microsoft.com in IE. They tested on 6.0 with SP1 and
>other patches...I've verified it on my wife's computer running IE 5.0
>
>
>Subject: Internet Explorer URL parsing vulnerability
>Date:    Tue, December 9, 2003 8:44 am
>To:   	 bugtraq@securityfocus.com
>
>Internet Explorer URL parsing vulnerability
>Vendor Notified 09 December, 2003
>
># Vulnerability ##########
>There is a flaw in the way that Internet Explorer displays URLs in the
>address bar.
>
>By opening a specially crafted URL an attacker can open a page that
>appears to be
>from a different domain from the current location.
>
># Exploit ##########
>By opening a window using the http://user@domain nomenclature an attacker
>can hide
>the real location of the page by including a 0x01 character after the "@"
>character.
>Internet Explorer doesn't display the rest of the URL making the page
>appear to be
>at a different domain.
>
># POC ##########
>http://www.zapthedingbat.com/security/ex01/vun1.htm
>
># Tested ##########
>Internet Explorer
>Version 6.0.2800.1106C0
>Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145
>
># Credit ##########
>Zap The Dingbat
>http://www.zapthedingbat.com/
>
>
>
>[1]
>[vox-tech] one of the most pernicious spams i've ever seen.
>http://lugod.org/mailinglists/archives/vox-tech/2003-09/msg00172.html
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>
>