Results 1 to 10 of 10

Thread: New IE Bug Hides Real Site Address

  1. #1
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688

    New IE Bug Hides Real Site Address

    From Slashdot: http://slashdot.org/article.pl?sid=03/12/11/1319212

    Posted by michael on Thursday December 11, @08:37AM
    from the can't-blame-the-user-for-this-one dept.
    Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.'

  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    yeah!

    I saw this yesterday and it works!

    I am planning on sending my friends a bunch of emails with Sony music URL's with my music advertised and rated as a money maker lol


    hahahah

    love this!!!!
    ------------------------------------------------------------



  3. #3
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    Sorry, Im a little slow. Where do you put the %01 etc?? Do you have an example egg, thx bro.

    --- 0wN3D by 3gG ---

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a non printing character (%01) before the "@".<br/>
    Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
    <button onclick="location.href=unescape('http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm');" style="font: 8pt verdana, sans-serif;">
    Test Exploit

    http://www.zapthedingbat.com/security/ex01/vun1.htm


    the problem for me is that it i don't know how to force an opening of a new window so I cannot truely re-create this yet.
    ------------------------------------------------------------



  5. #5
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Ok - I figured it out!

    see Microsofts new homepage


    Click here to see Microsofts new home page


    did you see the URL?


    I can make it say anything I want

    Click here


    here is how to do it
    your spoofed URL
    %00@
    the real URL




    & # 0 1 ; % 0 0 @ is the actual command - remove the spaces

    cheers
    egghead
    ------------------------------------------------------------



  6. #6
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Very cool...

  7. #7
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

  8. #8
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688

    Update: Spoofing bug affects Mozilla as well as Internet Explorer

    http://theinquirer.net/?article=13158

    THE BUG WE REPORTED earlier this week that allows people to spoof fake URL addresses, also partly affects Mozilla, according to Secunia today.
    And there's a further vulnerability in Internet Explorer, Secunia claims. This allows the bottom left, status bar of a browser to be manipulated as well as the address bar, so that you're more likely to think a forged site is real.

    Secunia said that Mozilla is partly vulnerable to this problem.

  9. #9
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I rarely look at my status bar as it is.

  10. #10
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    Thx Egg, for the info, and must say very cool bug. Im sure there will be exploits galore on this one.

    So now its not just a matter of checking status bar for link direction, but need to view source of HTML file to really know where you are going.

    Hmm... interesting.

    --- 0wN3D by 3gG ---

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •