Internet Explorer URL Display problem

Ken Anderson ka at PACIFIC.NET
Wed Dec 10 20:37:59 GMT 2003


Julian Field wrote:

> At 20:05 10/12/2003, you wrote:
>
>> Antony Stone wrote:
>>
>>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>
>>>> Off the top of my head, could you not do a simple SA rule like so:
>>>>
>>>> describe IE_VULN Body of email contains %01@ in a url
>>>> uri IE_VULN / %01@/
>>>> score IE_VULN 10.0
>>>>
>>>> Which would look for that pattern in a url.
>>>>
>>>
>>> The above isn't specific to finding the pattern in a URL
>>
>> Agreed
>>
>>> - although admittedly
>>> I can't think of a valid reason why you'd expect to see a %01
>>> anywhere, URL
>>> or not.
>>>
>>> Note by the way that the original notification referred to the %01 being
>>> *after* the @ sign, not before it (before too many people go off and
>>> concoct
>>> various pattern matches for the wrong pattern!)
>>>
>> Indeed, that's what I thought. But looking at the html source of the
>> proof of concept, the following is used:
>>
>> <button
>> onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>>
>> style="font: 8pt verdana, sans-serif;">
>>            Test Exploit
>>        </button>
>>
>> Obviously the pattern could be extended to look for a-z,0-9 etc after
>> the @
>
>
> Should
>
> uri IE_VULN /%01.*@/
> score IE_VULN 10.0
> describe IE_VULN Internet Explorer vulnerability
>
> work?

consider a recipe..

Add chemical X to a %01 solution of Sugar and Spice and Everything Nice
Bake @ 400 degrees.
Send off to capture Mojo Jo Jo.

I think it would match.
Ken A.



> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>



More information about the MailScanner mailing list