[vox-tech] New phishing vulnerability

Larry Ozeran vox-tech@lists.lugod.org
Fri, 12 Dec 2003 16:52:52 -0800


At 10:20 AM 12/12/03 +0000, you wrote:
>On Fri, Dec 12, 2003 at 12:52:07AM -0800, Bill Kendrick wrote:
>> Ah - here we go :)
>> 
>> 
>> New IE Bug Hides Real Site Address
>>     from the can't-blame-the-user-for-this-one dept.
>>     posted by michael on Thursday December 11, @08:37 (ie)
>>     http://slashdot.org/article.pl?sid=03/12/11/1319212
>
>Reading the comments turned up something even scarier (when combined with
this). First, I found out how to put the 0x01 directly in the html with a
&#1. Second, there's a bug in both IE and Mozilla (just tested with
1.5.whatever's latest in Debian Sid) that nothing after a %00 will show up
in the status bar. Combine the two, and (in IE) nothing after the username
shows up in either the status bar or the URL bar.
>
>POC
>http://wizardstower.net/ie.html
>
>The "Click me" link points to http://www.paypal.com&#1%00@wizardstower.net
but on IE I see nothing after .com, and on Moz I see nothing after the 0x01
character (showing as one of those funky 'unknown character' type boxes)

After clicking the "Click me" link in NS 4.7 my address bar shows:
http://www.paypal.com%00@wizardstower.net/

But you're right in MS IE 5.5, when hovering over the link the status bar
shows:
http://www.paypal.com
Same in address bar after clicking.

That is scary. Rob, thanks for all your work on this. It will be one more
chink in the MS armor at work. (One of our support guys repeatedly says
Linux "will never happen" at Sutter Health. We'll see.)

- Larry