RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity

From: Bill Royds (full-disclosure_at_royds.net)
Date: 12/12/03

  • Next message: Ricardo Moura: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability" 
    To: "'Mortis'" <m0rtis@adelphia.net>, <full-disclosure@lists.netsys.com>
Date: Thu, 11 Dec 2003 20:27:20 -0500

    Even better check out (from RFC1738)
    3.3. HTTP

       The HTTP URL scheme is used to designate Internet resources
       accessible using HTTP (HyperText Transfer Protocol).

       The HTTP protocol is specified elsewhere. This specification only
       describes the syntax of HTTP URLs.

       An HTTP URL takes the form:

          http://>:<port>/<path>?<searchpart>

       where <host> and <port> are as described in Section 3.1. If :<port>
       is omitted, the port defaults to 80. No user name or password is
       allowed. <path> is an HTTP selector, and <searchpart> is a query
       string. The <path> is optional, as is the <searchpart> and its
       preceding "?". If neither <path> nor <searchpart> is present, the "/"
       may also be omitted.

       Within the <path> and <searchpart> components, "/", ";", "?" are
       reserved. The "/" character may be used within HTTP to designate a
       hierarchical structure.

    Which says that a browser should not allow the username:password part for a
    HTTP protocol base URL

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Mortis
    Sent: December 11, 2003 6:46 PM
    To: full-disclosure@lists.netsys.com
    Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi
    lity

    > Using internet explorer, you can also put
    >     http://whateverhere@google.com and
    > that will take you to google. It only matters
    > what you put after the @ sign.
    > I noticed that one day while putting in my email
    > address in for hotmail.

    J,

    Check out 3.1 in this doc.

    http://www.faqs.org/rfcs/rfc1738.html

    I haveto clean the beeeeer off my keyyyyboard.

    :)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Ricardo Moura: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability"

    Relevant Pages

    • Re: "hash" doce
      ... the standard HTTP url schema dosn't include the "hash" ... the serverside web service have no idea of the "hash" parameter no matter ...
      (microsoft.public.dotnet.framework.aspnet.webcontrols)
    • Re: MS announces change in IE behavior
      ... the RFC specification says that http authentication is not ... The HTTP URL scheme is used to designate Internet resources ...
      (NT-Bugtraq)
    • Re: ASP.Net 2.0 menu control causing non-secure dialog
      ... >>Why do I get this dialog when hovering over the menu? ... > Are there any images being pulled from an http URL instead of an https ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: receive xml
      ... Not through the HTTP protocol. ... provided in PHP. ... It is if you're using HTTP protocol. ... ends of a data connection and you don't need a separate web server. ...
      (comp.lang.php)
    • Re: Submit button stops working when I update my website
      ... had the right http protocol, and tried a few variations, but nothing. ... "Publisher web publication forms 101": ... what is the difference between HTTP and FTP uploading ...
      (microsoft.public.publisher.webdesign)