From Slashdot: http://slashdot.org/article.pl?sid=03/12/11/1319212

Posted by michael on Thursday December 11, @08:37AM
from the can't-blame-the-user-for-this-one dept.
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.'

yeah!

I saw this yesterday and it works!

I am planning on sending my friends a bunch of emails with Sony music URL's with my music advertised and rated as a money maker lol


hahahah

love this!!!!

Sorry, Im a little slow. Where do you put the %01 etc?? Do you have an example egg, thx bro.

By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a non printing character (%01) before the "@".<br/>
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
<button onclick="location.href=unescape('http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm');" style="font: 8pt verdana, sans-serif;">
Test Exploit

http://www.zapthedingbat.com/security/ex01/vun1.htm


the problem for me is that it i don't know how to force an opening of a new window so I cannot truely re-create this yet.

Ok - I figured it out!

see Microsofts new homepage


Click here to see Microsofts new home page (http://www.Microsoft.com
%00@www.techzonez.com)


did you see the URL?


I can make it say anything I want

Click here (http://www.Eggheads House.com
%00@www.microsoft.com)


here is how to do it
your spoofed URL

%00@
the real URL




& # 0 1 ; % 0 0 @ is the actual command - remove the spaces

cheers
egghead
:)

Very cool...

http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

http://theinquirer.net/?article=13158

THE BUG WE REPORTED earlier this week that allows people to spoof fake URL addresses, also partly affects Mozilla, according to Secunia today.
And there's a further vulnerability in Internet Explorer, Secunia claims. This allows the bottom left, status bar of a browser to be manipulated as well as the address bar, so that you're more likely to think a forged site is real.

Secunia said that Mozilla is partly vulnerable to this problem.

I rarely look at my status bar as it is. :eek:

Thx Egg, for the info, and must say very cool bug. Im sure there will be exploits galore on this one.

So now its not just a matter of checking status bar for link direction, but need to view source of HTML file to really know where you are going.

Hmm... interesting.