Re: IE URL obfuscation

• Previous message: Russ: "Re: IE URL obfuscation"
• Maybe in reply to: Ben Reardon: "IE URL obfuscation"
• Next in thread: Russ: "Re: IE URL obfuscation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 11 Dec 2003 18:10:45 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi,

Chris Hall reported to us that it is also possible to manipulate the
information displayed in the status bar by also including the url
encoded representation "%00" before the "@".

We have made a test which demonstrates this. Note that our test do not
use JavaScript to generate the link. Therefore, the "%01" character is
not visible.

Our Test:
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

Also, our advisory on this:
http://www.secunia.com/advisories/10395/

Kind regards,

Jakob Balle, Secunia

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: Russ: "Re: IE URL obfuscation"
• Maybe in reply to: Ben Reardon: "IE URL obfuscation"
• Next in thread: Russ: "Re: IE URL obfuscation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]