| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jan 2005 17:30:00 -0800 (PST) From: RSnake <rsnake@...cking.com> To: bugtraq@...urityfocus.com Subject: IE issue with percent 20 This is a really odd problem, and I haven't seen it published anywhere. Apparently IE handles IPs in URLs as something like (as you might expect): http://xxx.xxx.xxx.xxx/ But the problem is if I put a %20 in the IP address like this, it will still render (assuming I am under 16 charachters between the slashes): http://x.x.x.x%20/ It is looking for 16 charachters. I have a feeling the %20 is ignored because IE felt that it is easy to fat-finger URLs or cut and paste incorrectly and accidentally add in a space which otherwise would cause issues. (In all cases I tested it was 16 charachters max except one... I have one computer that allows me to put in as much data as I want, but I haven't been able to duplicate that on any other machine I have tested - if you can tell me how to increase the alloted space, there are more holes here, but I can't replicate them so I won't go into it). This is tested on IE 6.0 SP1 and SP2. Where this becomes a problem is in the case of a short URL you can put in some data here, like so: http://x.x.x.x%20a.com/ Further, if the real IP address is on a server that can handle this (IIS doesn't know how to handle it in all the cases I have tested, but Apache handles it fine by default) and you have either Earthlink's FraudEliminator or CoreStreet's SpooofStick, they give incorrect information. (Please don't hit this poor guy's IP, he just happened to have one short enough to test this): http://www.shocking.com/~rsnake/images/rs/percenttwenty.jpg To be fair, I am sure I can configure both of these toolbars to be more useful, but you get the idea. I'm not sure if it's possible but I have a feeling if you could put a %20 into a cname it could have very similar and weird results, although I don't have access to a BIND server to test this theory. In the example above, I didn't have a shorter IP, but if I had I would have substituted "a.it" with "a.com" which would have changed SpoofStick to be "a.com" and not "184 a.com" as you might expect (try with a 10.* address to see for yourself). There is probably more interesting things here, as Apache handles the header "HTTP_HOST" properly (translates the %20 into a space), but I would imagine this would have negative side effects on certain applications that need that data. Anyway... Special thanks to Id - he helped me find a suitable IP to test this. -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Powered by blists - more mailing lists