Internet Explorer URL Display problem

Julian Field mailscanner at
Wed Dec 10 20:50:51 GMT 2003

At 20:37 10/12/2003, you wrote:
>Julian Field wrote:
>>At 20:05 10/12/2003, you wrote:
>>>Antony Stone wrote:
>>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>>>Off the top of my head, could you not do a simple SA rule like so:
>>>>>describe IE_VULN Body of email contains %01@ in a url
>>>>>uri IE_VULN / %01@/
>>>>>score IE_VULN 10.0
>>>>>Which would look for that pattern in a url.
>>>>The above isn't specific to finding the pattern in a URL
>>>>- although admittedly
>>>>I can't think of a valid reason why you'd expect to see a %01
>>>>anywhere, URL
>>>>or not.
>>>>Note by the way that the original notification referred to the %01 being
>>>>*after* the @ sign, not before it (before too many people go off and
>>>>various pattern matches for the wrong pattern!)
>>>Indeed, that's what I thought. But looking at the html source of the
>>>proof of concept, the following is used:
>>>style="font: 8pt verdana, sans-serif;">
>>>            Test Exploit
>>>        </button>
>>>Obviously the pattern could be extended to look for a-z,0-9 etc after
>>>the @
>>uri IE_VULN /%01.*@/
>>score IE_VULN 10.0
>>describe IE_VULN Internet Explorer vulnerability
>consider a recipe..
>Add chemical X to a %01 solution of Sugar and Spice and Everything Nice
>Bake @ 400 degrees.
>Send off to capture Mojo Jo Jo.
>I think it would match.

No it shouldn't.
That's why I made it a URI test and not just a body or rawbody test. From
the SA docs:
            The 'uri' in this case is a list of all the URIs in the body of the
            email, and the test will be run on each and every one of those
            URIs, adjusting the score if a match is found. Use this test
            instead of one of the body tests when you need to match a URI, as
            it is more accurately bound to the start/end points of the URI, and
            will also be faster.
And it needs to be a * and not a + as you don't need any text between %01
and @. I don't see the need to try to match a country code before the %01
either, what happens when they put in a space %20 or other unprintable (or
nearly invisible) character? I feel you are adding restrictions to the
test, which the hacker can easily work around.
Julian Field
Professional Support Services at
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list