Internet Explorer URL Display problem

Julian Field mailscanner at ecs.soton.ac.uk
Wed Dec 10 20:27:52 GMT 2003


At 20:05 10/12/2003, you wrote:
>Antony Stone wrote:
>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>Off the top of my head, could you not do a simple SA rule like so:
>>>
>>>describe IE_VULN Body of email contains %01@ in a url
>>>uri IE_VULN / %01@/
>>>score IE_VULN 10.0
>>>
>>>Which would look for that pattern in a url.
>>>
>>
>>The above isn't specific to finding the pattern in a URL
>Agreed
>
>>- although admittedly
>>I can't think of a valid reason why you'd expect to see a %01 anywhere, URL
>>or not.
>>
>>Note by the way that the original notification referred to the %01 being
>>*after* the @ sign, not before it (before too many people go off and concoct
>>various pattern matches for the wrong pattern!)
>>
>Indeed, that's what I thought. But looking at the html source of the
>proof of concept, the following is used:
>
><button
>onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>style="font: 8pt verdana, sans-serif;">
>            Test Exploit
>        </button>
>
>Obviously the pattern could be extended to look for a-z,0-9 etc after the @

Should

uri IE_VULN /%01.*@/
score IE_VULN 10.0
describe IE_VULN Internet Explorer vulnerability

work?
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list