TUCoPS :: Browsers :: expl5669.htm

Internet Explorer % encoding directive cross site scripting issue
4th Sep 2002 [SBWID-5669]
COMMAND

	
		IE % encoding directive cross site scripting issue
	
	

SYSTEMS AFFECTED

	
		 MSIE v6.x

		 MSIE v5.0x

		 Tested with : IEXPLORE.EXE file version: 6.0.2600.0000 

		               MSHTML.DLL file version: 6.00.2600.0000
	
	

PROBLEM

	
		liudieyuinchina@yahoo.com.cn found :
		

		 [demo]

		at
		

		http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm

		

		or
		

		clik.to/liudieyu ==> 2FforMSIE-MyPage section.

		

		 [exp]

		%?? in URL is decoded when IE caculates  the  domain,  but  not  decoded
		while downloading a page. so
		

		[CODE.URL]http://www.yahoo.com%2F@clik.to/liudieyu

		(	2F=hex$(asc('/'))	)

		

		leads to clik.to/liudieyu instead of www.yahoo.com, and  the  domain  of
		it www.yahoo.com for IE.
		

		

		 Update (09 september 2002)

		 ======

		

		Bentfork adds this should have a higher rating  considering  the  recent
		w0man SSL man in the middle attack.
	
	

SOLUTION

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH