Internet Explorer URL Display problem
Randal, Phil
prandal at HEREFORDSHIRE.GOV.UK
Fri Dec 12 10:23:44 GMT 2003
When in doubt, consult the RFCs. RFC 1738
(http://www.faqs.org/rfcs/rfc1738.html)
says:
"3.3. HTTP
The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where <host> and <port> are as described in Section 3.1. If :<port>
is omitted, the port defaults to 80. No user name or password is
allowed."
Interesting! I wonder what would break if we were that strict?
Cheers,
Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Antony Stone
> Sent: 11 December 2003 15:42
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Internet Explorer URL Display problem
>
>
> On Thursday 11 December 2003 3:34 pm, Julian Field wrote:
>
> > At 15:27 11/12/2003, you wrote:
> > >%0[0-9] would be better (or something like that).
> >
> > %[01][0-9a-fA-F]
> > instead of
> > %01
> > perhaps?
> >
> > I would imagine that the guy who found this exploit tested
> other characters
> > too and found them not to be vulnerable. So %01 is probably
> good enough.
>
> The report at http://www.secunia.com/advisories/10395
> mentions that %00 at
> least is also effective.
>
> Antony.
>
> --
> If you want to be happy for an hour, get drunk.
> If you want to be happy for a year, get married.
> If you want to be happy for a lifetime, get a garden.
>
> Please
> reply to the list;
>
> please don't CC me.
>
More information about the MailScanner
mailing list