Re: IE URL obfuscation
From: Josh Tanski (mortonjt_at_ROCHESTER.RR.COM)
Date: Wed, 10 Dec 2003 13:36:57 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ran some real quick tests with a fully patched IE6.0 on W2K:
If you put www.microsoft.com in the Trusted Sites Zone, when you try the
exploit at http://www.zapthedingbat.com/security/ex01/vun1.htm, IE still
displays the icon for the Internet Zone.
However, if you put www.zapthedingbat.com in the restricted sites (and
enable active scripting...), when you run the exploit url, IE displays the
Internet Zone icon instead of the restricted sites zone icon.
Same thing if you put it in www.zapthedingbat.com in Trusted Sites or Local
Internet, it seems to always run in the Internet Zone. So it does not
appear to be able to be used to spoof better trust than the Internet Zone.
Anyone confirm/deny this? I didn't try recreating the exploit for myself to
see if scripts/activex could actually be run that shouldn't be.
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----