MSIEv6 % encoding causes a problem again

From: Liu Die Yu (liudieyuinchinaat_private)
Date: Tue Sep 03 2002 - 05:49:20 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco VPN 3000 Concentrator Multiple Vulnerabilities"

Previous message: Roy Hills: "SecuRemote usernames can be guessed or sniffed using IKE exchange"
Next in thread: Piotr Pawłow: "MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable"
Reply: Piotr Pawłow: "MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) it's about cross-site scripting at MSIEv6 client side using % encoding, but not the same as the one by PeaceFire.org which doesn't work on my PC. [tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000} [demo] at http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm or clik.to/liudieyu ==> 2FforMSIE-MyPage section. [exp] %?? in URL is decoded when IE caculates the domain, but not decoded while downloading a page. so [CODE.URL]www.yahoo.com%2Fat_private/liudieyu">http://www.yahoo.com%2Fat_private/liudieyu ( 2F=hex$(asc('/')) ) leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it www.yahoo.com for IE Very simple, that's all. [contact] liudieyuinchinaat_private

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco VPN 3000 Concentrator Multiple Vulnerabilities"
Previous message: Roy Hills: "SecuRemote usernames can be guessed or sniffed using IKE exchange"
Next in thread: Piotr Pawłow: "MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable"
Reply: Piotr Pawłow: "MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 10:45:36 PDT