RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity

From: Bill Royds (full-disclosure_at_royds.net)
Date: 12/12/03

  • Next message: Ricardo Moura: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability"
    To: "'Mortis'" <m0rtis@adelphia.net>, <full-disclosure@lists.netsys.com>
    Date: Thu, 11 Dec 2003 20:27:20 -0500
    
    

    Even better check out (from RFC1738)
    3.3. HTTP

       The HTTP URL scheme is used to designate Internet resources
       accessible using HTTP (HyperText Transfer Protocol).

       The HTTP protocol is specified elsewhere. This specification only
       describes the syntax of HTTP URLs.

       An HTTP URL takes the form:

          http://>:<port>/<path>?<searchpart>

       where <host> and <port> are as described in Section 3.1. If :<port>
       is omitted, the port defaults to 80. No user name or password is
       allowed. <path> is an HTTP selector, and <searchpart> is a query
       string. The <path> is optional, as is the <searchpart> and its
       preceding "?". If neither <path> nor <searchpart> is present, the "/"
       may also be omitted.

       Within the <path> and <searchpart> components, "/", ";", "?" are
       reserved. The "/" character may be used within HTTP to designate a
       hierarchical structure.

    Which says that a browser should not allow the username:password part for a
    HTTP protocol base URL

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Mortis
    Sent: December 11, 2003 6:46 PM
    To: full-disclosure@lists.netsys.com
    Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi
    lity

    > Using internet explorer, you can also put
    >
    http://whateverhere@google.com and
    > that will take you to google. It only matters
    > what you put after the @ sign.
    > I noticed that one day while putting in my email
    > address in for hotmail.

    J,

    Check out 3.1 in this doc.

    http://www.faqs.org/rfcs/rfc1738.html

    I haveto clean the beeeeer off my keyyyyboard.

    :)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ricardo Moura: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability"