Internet Explorer URL Display problem
Daniel Bird
dbird at SGHMS.AC.UK
Wed Dec 10 20:40:19 GMT 2003
Ken Anderson wrote:
> So, combining the suggestions so far - are we getting close?
>
> describe IE6_URL_VULN Body of email contains %01@ in a url
> uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/
> score IE6_URL_VULN 10.0
Just ran that through Regex coach and could not find any false matches,
or character combos that would be missed, so I say yay!
Dan
>
> Ken A.
> Pacific.Net
>
> Daniel Bird wrote:
>
>> Antony Stone wrote:
>>
>>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>
>>>
>>>
>>>> Off the top of my head, could you not do a simple SA rule like so:
>>>>
>>>> describe IE_VULN Body of email contains %01@ in a url
>>>> uri IE_VULN / %01@/
>>>> score IE_VULN 10.0
>>>>
>>>> Which would look for that pattern in a url.
>>>>
>>>>
>>>
>>> The above isn't specific to finding the pattern in a URL
>>>
>> Agreed
>>
>>> - although admittedly
>>> I can't think of a valid reason why you'd expect to see a %01
>>> anywhere, URL
>>> or not.
>>>
>>> Note by the way that the original notification referred to the %01
>>> being
>>> *after* the @ sign, not before it (before too many people go off and
>>> concoct
>>> various pattern matches for the wrong pattern!)
>>>
>>>
>> Indeed, that's what I thought. But looking at the html source of the
>> proof of concept, the following is used:
>>
>> <button
>> onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>>
>>
>> style="font: 8pt verdana, sans-serif;">
>> Test Exploit
>> </button>
>>
>> Obviously the pattern could be extended to look for a-z,0-9 etc after
>> the @
>>
>> Dan
>>
>>> Antony.
>>>
>>> --
>>> Ramdisk is not an installation procedure.
>>>
>>> Please reply to
>>> the list;
>>> please don't
>>> CC me.
>>>
>>>
>>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list