Internet Explorer URL Display problem

Julian Field mailscanner at ecs.soton.ac.uk
Wed Dec 10 20:53:41 GMT 2003


At 20:40 10/12/2003, you wrote:
>Ken Anderson wrote:
>
>>So, combining the suggestions so far - are we getting close?
>>
>>describe        IE6_URL_VULN Body of email contains %01@ in a url
>>uri     IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/
>>score   IE6_URL_VULN 10.0
>
>Just ran that through Regex coach and could not find any false matches,
>or character combos that would be missed, so I say yay!

How about this:
http://www.microsoft.com%20%01%20@nasty.hacker.com/hohoho
That will appear to be
http://www.microsoft.com
and yet you won't catch it.


>Dan
>
>>
>>Ken A.
>>Pacific.Net
>>
>>Daniel Bird wrote:
>>
>>>Antony Stone wrote:
>>>
>>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>>
>>>>
>>>>
>>>>>Off the top of my head, could you not do a simple SA rule like so:
>>>>>
>>>>>describe IE_VULN Body of email contains %01@ in a url
>>>>>uri IE_VULN / %01@/
>>>>>score IE_VULN 10.0
>>>>>
>>>>>Which would look for that pattern in a url.
>>>>>
>>>>
>>>>The above isn't specific to finding the pattern in a URL
>>>Agreed
>>>
>>>>- although admittedly
>>>>I can't think of a valid reason why you'd expect to see a %01
>>>>anywhere, URL
>>>>or not.
>>>>
>>>>Note by the way that the original notification referred to the %01
>>>>being
>>>>*after* the @ sign, not before it (before too many people go off and
>>>>concoct
>>>>various pattern matches for the wrong pattern!)
>>>>
>>>Indeed, that's what I thought. But looking at the html source of the
>>>proof of concept, the following is used:
>>>
>>><button
>>>onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>>>
>>>
>>>style="font: 8pt verdana, sans-serif;">
>>>            Test Exploit
>>>        </button>
>>>
>>>Obviously the pattern could be extended to look for a-z,0-9 etc after
>>>the @
>>>
>>>Dan
>>>
>>>>Antony.
>>>>
>>>>--
>>>>Ramdisk is not an installation procedure.
>>>>
>>>>                                                     Please reply to
>>>>the list;
>>>>                                                           please don't
>>>>CC me.
>>>>
>>>>
>>>
>>>
>>>
>>>--
>>>This message has been scanned for viruses and
>>>dangerous content by MailScanner, and is
>>>believed to be clean.
>>>
>
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list