Re: IE URL obfuscation

From: Donovan Bernauer (donovan_at_DONOVANB.COM)
Date: 12/10/03

  • Next message: Josh Tanski: "Re: IE URL obfuscation" 
    Date:         Wed, 10 Dec 2003 12:06:07 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Normal c strings terminate at the first NULL char. This is the way IE reads
    the current address when it writes to the address bar.

    When using a browser shell, the shell uses COM and B-strings to get the info
    from IE, and this properly handles the NULL char.

    If you folks right-click the web page in question,

    http://www.zapthedingbat.com/security/ex01/vun1.htm

    And select 'properties', you'll see the correct address is really known by
    IE - it's just the presentation code for the address bar that's goofed.

    Donovan Bernauer

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Martin Christopher
    Sent: Wednesday, December 10, 2003 7:08 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Re: IE URL obfuscation

    This appears to be another case of 'Vanilla' IE implementations being
    vulnerable to the 'ploit, but browsers with extensions / additions being
    immune.

    I am running the SlimBrowser enhancements for IE and it showed the url up
    as:
    http://www.microsoft.com @zapthedingbat.com/security/ex01/vun2.htm (exactly
    as shown)

    I would hypothesize that the results of this test are related to the
    character sets installed on your machine / browser.

    Martin Christopher
    Microsoft Systems
    Easynet Ltd

    */ The clock it ticking
       and from now on we are keeping score /* 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Josh Tanski: "Re: IE URL obfuscation"

    Relevant Pages

    • [Full-Disclosure] [Fwd: More on IE URL obfuscation]
      ... threats of phishing attacks. ... URL in the browser's address bar to be sure they are logging in using ... And even if the browser brings up ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo ...
      (Full-Disclosure)
    • More on IE URL obfuscation
      ... threats of phishing attacks. ... URL in the browser's address bar to be sure they are logging in using ... And even if the browser brings up ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo ...
      (NT-Bugtraq)
    • Re: formatting in a text box
      ... > different browser is used. ... It's on the drawing tool bar. ... View the page in HTML code mode? ... Use an HTML validator. ...
      (microsoft.public.frontpage.programming)
    • Re: Kiosk Mode for IE6
      ... There is a difference between full screen and kiosk mode. ... browser you should look at using Group Policy settings or try the MS ... from the View>Explorer Bar menu. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Internet Explorer URL spoofing threat
      ... Recently I advised Microsoft of a vulnerability in Internet Explorer ... completely different URL in the address bar. ... copy/paste the URL into a browser. ... it hardly reduces the effectiveness of this attack. ...
      (Bugtraq)