Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL

From: Felix Kasza (felixk2_at_MVPS.ORG)
Date: 12/11/03

  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"
    Date:         Thu, 11 Dec 2003 20:12:51 +0100
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Gary,

    > User types into the URL bar:
    > http://www.ebay.com%01@testurl.ideaflood.com/filepath/file.htm
    > [...]
    > So the server is unable to see the original URL,
    > with the obfuscated portions. [...]

    The server will never see the 01h byte as part of either host name or
    path, as it is part of the authentication data -- it belongs to the
    "username" part in

            http://[username[:password]@]www.domain.com[/path]

    If the server responded with a 401 to the initial request, forcing the
    browser to submit authentication data, the server would get to see the
    01h byte, but still not as part of the URL or host name.

    Cheers,
    Felix.

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"

    Relevant Pages

    • gdm hangs
      ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
      (Debian-User)
    • problem with sendmail in solaris 9
      ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
      (SunManagers)
    • Re: Add new cluster and use existing LUNs?
      ... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
      (microsoft.public.sqlserver.clustering)
    • Log corruption on multiple webservers, log analyzers,...
      ... Related RFC´s about Internet Host Names convention: ... To succesfully attack a server with “ILLC” technique is mandatory that web ... a machine with a host name as "123.123.123.123" makes a request ... wouldn't appear in the access log file. ...
      (Bugtraq)
    • UPDATE weird sendmail problem on Solaris 9 (fwd)
      ... I was asked to supply info about my sendmail config and my nsswitch.conf ... names that should be exposed as from this host, ... # list of locations of user database file ... # SMTP STARTTLS server options ...
      (SunManagers)