Internet Explorer URL Display problem
Ken Anderson
ka at PACIFIC.NET
Wed Dec 10 20:32:22 GMT 2003
So, combining the suggestions so far - are we getting close?
describe IE6_URL_VULN Body of email contains %01@ in a url
uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/
score IE6_URL_VULN 10.0
Ken A.
Pacific.Net
Daniel Bird wrote:
> Antony Stone wrote:
>
>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>
>>
>>
>>> Off the top of my head, could you not do a simple SA rule like so:
>>>
>>> describe IE_VULN Body of email contains %01@ in a url
>>> uri IE_VULN / %01@/
>>> score IE_VULN 10.0
>>>
>>> Which would look for that pattern in a url.
>>>
>>>
>>
>> The above isn't specific to finding the pattern in a URL
>>
> Agreed
>
>> - although admittedly
>> I can't think of a valid reason why you'd expect to see a %01
>> anywhere, URL
>> or not.
>>
>> Note by the way that the original notification referred to the %01 being
>> *after* the @ sign, not before it (before too many people go off and
>> concoct
>> various pattern matches for the wrong pattern!)
>>
>>
> Indeed, that's what I thought. But looking at the html source of the
> proof of concept, the following is used:
>
> <button
> onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>
> style="font: 8pt verdana, sans-serif;">
> Test Exploit
> </button>
>
> Obviously the pattern could be extended to look for a-z,0-9 etc after the @
>
> Dan
>
>> Antony.
>>
>> --
>> Ramdisk is not an installation procedure.
>>
>> Please reply to
>> the list;
>> please don't
>> CC me.
>>
>>
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
More information about the MailScanner
mailing list