Internet Explorer URL Display problem
Daniel Bird
dbird at SGHMS.AC.UK
Wed Dec 10 20:05:36 GMT 2003
Antony Stone wrote:
>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>
>
>
>>Off the top of my head, could you not do a simple SA rule like so:
>>
>>describe IE_VULN Body of email contains %01@ in a url
>>uri IE_VULN / %01@/
>>score IE_VULN 10.0
>>
>>Which would look for that pattern in a url.
>>
>>
>
>The above isn't specific to finding the pattern in a URL
>
Agreed
> - although admittedly
>I can't think of a valid reason why you'd expect to see a %01 anywhere, URL
>or not.
>
>Note by the way that the original notification referred to the %01 being
>*after* the @ sign, not before it (before too many people go off and concoct
>various pattern matches for the wrong pattern!)
>
>
Indeed, that's what I thought. But looking at the html source of the
proof of concept, the following is used:
<button
onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
style="font: 8pt verdana, sans-serif;">
Test Exploit
</button>
Obviously the pattern could be extended to look for a-z,0-9 etc after the @
Dan
>Antony.
>
>--
>Ramdisk is not an installation procedure.
>
> Please reply to the list;
> please don't CC me.
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list