IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL
From: Gary Shuster (legal_at_IDEAFLOOD.COM)
Date: Thu, 11 Dec 2003 10:31:58 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
There is a further complication with dealing with this issue. We administer
a free web host (so we get some of these "phishing" scams uploaded to our
servers). We know from our access logs that hundreds of people respond to
I wanted to implement an ISAPI filter on our web server that would identify
any incoming URL in the form of
http://firstname.lastname@example.org/filepath/file.htm but to my
surprise the filter is not passed the full URL. Here is the "conversation"
between client and server:
User types into the URL bar:
Browser sends server:
GET /filepath/file.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 1.0.3705)
So the server is unable to see the original URL, with the obfuscated
portions. That means that the user can't see it in the URL bar, and the
server has no way of knowing that the user is being misled.
I would suggest that a portion of the fix needed for this bug is to also fix
the failure of the server to be able to see the actual URL requested.
Perhaps the data can be sent in the Host field, or in a new field. Such a
fix would allow service providers to implement filters that would prevent
even non-upgraded clients from being duped. Of course, an alternative would
be for Microsoft to send out an update to its IIS that automatically blocks
URLs with %01 or %00, saving service providers the trouble of writing
filters to do it.
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----