[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0501121652170.911@fingers>
Date: Wed, 12 Jan 2005 17:30:00 -0800 (PST)
From: RSnake <rsnake@...cking.com>
To: bugtraq@...urityfocus.com
Subject: IE issue with percent 20
This is a really odd problem, and I haven't seen it published anywhere.
Apparently IE handles IPs in URLs as something like (as you might
expect):
http://xxx.xxx.xxx.xxx/
But the problem is if I put a %20 in the IP address like this, it will
still render (assuming I am under 16 charachters between the slashes):
http://x.x.x.x%20/
It is looking for 16 charachters. I have a feeling the %20 is ignored
because IE felt that it is easy to fat-finger URLs or cut and paste
incorrectly and accidentally add in a space which otherwise would cause
issues. (In all cases I tested it was 16 charachters max except one... I
have one computer that allows me to put in as much data as I want, but I
haven't been able to duplicate that on any other machine I have tested -
if you can tell me how to increase the alloted space, there are more
holes here, but I can't replicate them so I won't go into it). This is
tested on IE 6.0 SP1 and SP2. Where this becomes a problem is in the
case of a short URL you can put in some data here, like so:
http://x.x.x.x%20a.com/
Further, if the real IP address is on a server that can handle this (IIS
doesn't know how to handle it in all the cases I have tested, but Apache
handles it fine by default) and you have either Earthlink's
FraudEliminator or CoreStreet's SpooofStick, they give incorrect
information. (Please don't hit this poor guy's IP, he just happened to
have one short enough to test this):
http://www.shocking.com/~rsnake/images/rs/percenttwenty.jpg
To be fair, I am sure I can configure both of these toolbars to be more
useful, but you get the idea. I'm not sure if it's possible but I have
a feeling if you could put a %20 into a cname it could have very similar
and weird results, although I don't have access to a BIND server to
test this theory. In the example above, I didn't have a shorter IP, but
if I had I would have substituted "a.it" with "a.com" which would have
changed SpoofStick to be "a.com" and not "184 a.com" as you might
expect (try with a 10.* address to see for yourself).
There is probably more interesting things here, as Apache handles the
header "HTTP_HOST" properly (translates the %20 into a space), but I
would imagine this would have negative side effects on certain
applications that need that data. Anyway...
Special thanks to Id - he helped me find a suitable IP to test this.
-R
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.
Powered by blists - more mailing lists