Internet Explorer URL Display problem
Daniel Bird
dbird at SGHMS.AC.UK
Wed Dec 10 20:11:47 GMT 2003
Daniel Bird wrote:
> Antony Stone wrote:
>
>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>
>>
>>
>>> Off the top of my head, could you not do a simple SA rule like so:
>>>
>>> describe IE_VULN Body of email contains %01@ in a url
>>> uri IE_VULN / %01@/
>>> score IE_VULN 10.0
>>>
>>> Which would look for that pattern in a url.
>>>
>>>
>>
>> The above isn't specific to finding the pattern in a URL
>>
> Agreed
>
>> - although admittedly
>> I can't think of a valid reason why you'd expect to see a %01
>> anywhere, URL
>> or not.
>>
>> Note by the way that the original notification referred to the %01 being
>> *after* the @ sign, not before it (before too many people go off and
>> concoct
>> various pattern matches for the wrong pattern!)
>>
>>
> Indeed, that's what I thought. But looking at the html source of the
> proof of concept, the following is used:
>
> <button
> onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>
> style="font: 8pt verdana, sans-serif;">
> Test Exploit
> </button>
>
> Obviously the pattern could be extended to look for a-z,0-9 etc after
> the @
Ignore the *'s in the above URL. My MUA decided to replace the bold with
* (must have sent plain text only) sorry.
Should be :
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
>
> Dan
>
>> Antony.
>>
>> --
>> Ramdisk is not an installation procedure.
>>
>> Please reply to
>> the list;
>> please
>> don't CC me.
>>
>>
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list