IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL

From: Gary Shuster (legal_at_IDEAFLOOD.COM)
Date: 12/11/03

  • Next message: Felix Kasza: "Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL"
    Date:         Thu, 11 Dec 2003 10:31:58 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    There is a further complication with dealing with this issue. We administer
    a free web host (so we get some of these "phishing" scams uploaded to our
    servers). We know from our access logs that hundreds of people respond to
    phishing scams.

    I wanted to implement an ISAPI filter on our web server that would identify
    any incoming URL in the form of
    http://www.ebay.com%01@testurl.ideaflood.com/filepath/file.htm but to my
    surprise the filter is not passed the full URL. Here is the "conversation"
    between client and server:

    User types into the URL bar:
    http://www.ebay.com%01@testurl.ideaflood.com/filepath/file.htm

    Browser sends server:
    GET /filepath/file.htm HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    application/x-shockwave-flash, */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
    1.1.4322; .NET CLR 1.0.3705)
    Host: testurl.ideaflood.com
    Connection: Keep-Alive

    So the server is unable to see the original URL, with the obfuscated
    portions. That means that the user can't see it in the URL bar, and the
    server has no way of knowing that the user is being misled.

    I would suggest that a portion of the fix needed for this bug is to also fix
    the failure of the server to be able to see the actual URL requested.
    Perhaps the data can be sent in the Host field, or in a new field. Such a
    fix would allow service providers to implement filters that would prevent
    even non-upgraded clients from being duped. Of course, an alternative would
    be for Microsoft to send out an update to its IIS that automatically blocks
    URLs with %01 or %00, saving service providers the trouble of writing
    filters to do it.

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Felix Kasza: "Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL"

    Relevant Pages

    • Re: Mail from: shows internal server name in mail header and fails
      ... You *could* filter by the ipaddr of the MUA, but you'd have to do that at ... the first hop else ... If the message is received by your local server (same as the other ... the recipient host or the communication between it if there is a SMTP-aware ...
      (microsoft.public.inetserver.iis.smtp_nntp)
    • Re: 404 handler mkicks in before ISAPI filter
      ... You do NOT have control of URLs that will be sent to your server. ... So I am applying the following rules for my ISAPI filter, and so far, after ... It is normal that the client does not send the host name as a part of ... the client only needs the host name to be able to ...
      (microsoft.public.inetserver.iis)
    • Re: 404 handler mkicks in before ISAPI filter
      ... The value you are getting for the URL is coming straight from the client. ... It is normal that the client does not send the host name as a part of the ... You can't tell without knowing a whole lot about both how the server is ... I installed debugging code in my filter and verified I only ...
      (microsoft.public.inetserver.iis)
    • gdm hangs
      ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
      (Debian-User)
    • problem with sendmail in solaris 9
      ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
      (SunManagers)