[vox-tech] New phishing vulnerability

Rob Rogers vox-tech@lists.lugod.org
Fri, 12 Dec 2003 10:20:30 +0000 

On Fri, Dec 12, 2003 at 12:52:07AM -0800, Bill Kendrick wrote:
> Ah - here we go :)
> 
> 
> New IE Bug Hides Real Site Address
>     from the can't-blame-the-user-for-this-one dept.
>     posted by michael on Thursday December 11, @08:37 (ie)
>     http://slashdot.org/article.pl?sid=03/12/11/1319212

Reading the comments turned up something even scarier (when combined with this). First, I found out how to put the 0x01 directly in the html with a &#1. Second, there's a bug in both IE and Mozilla (just tested with 1.5.whatever's latest in Debian Sid) that nothing after a %00 will show up in the status bar. Combine the two, and (in IE) nothing after the username shows up in either the status bar or the URL bar.

POC
http://wizardstower.net/ie.html

The "Click me" link points to http://www.paypal.com&#1%00@wizardstower.net but on IE I see nothing after .com, and on Moz I see nothing after the 0x01 character (showing as one of those funky 'unknown character' type boxes)