IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL

From: Gary Shuster (legal_at_IDEAFLOOD.COM)
Date: 12/11/03

  • Next message: Felix Kasza: "Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL"
    Date:         Thu, 11 Dec 2003 10:31:58 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    There is a further complication with dealing with this issue. We administer
    a free web host (so we get some of these "phishing" scams uploaded to our
    servers). We know from our access logs that hundreds of people respond to
    phishing scams.

    I wanted to implement an ISAPI filter on our web server that would identify
    any incoming URL in the form of
    http://www.ebay.com%01@testurl.ideaflood.com/filepath/file.htm but to my
    surprise the filter is not passed the full URL. Here is the "conversation"
    between client and server:

    User types into the URL bar:
    http://www.ebay.com%01@testurl.ideaflood.com/filepath/file.htm

    Browser sends server:
    GET /filepath/file.htm HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    application/x-shockwave-flash, */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
    1.1.4322; .NET CLR 1.0.3705)
    Host: testurl.ideaflood.com
    Connection: Keep-Alive

    So the server is unable to see the original URL, with the obfuscated
    portions. That means that the user can't see it in the URL bar, and the
    server has no way of knowing that the user is being misled.

    I would suggest that a portion of the fix needed for this bug is to also fix
    the failure of the server to be able to see the actual URL requested.
    Perhaps the data can be sent in the Host field, or in a new field. Such a
    fix would allow service providers to implement filters that would prevent
    even non-upgraded clients from being duped. Of course, an alternative would
    be for Microsoft to send out an update to its IIS that automatically blocks
    URLs with %01 or %00, saving service providers the trouble of writing
    filters to do it.

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Felix Kasza: "Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL"