lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0501121652170.911@fingers>
Date: Wed, 12 Jan 2005 17:30:00 -0800 (PST)
From: RSnake <rsnake@...cking.com>
To: bugtraq@...urityfocus.com
Subject: IE issue with percent 20



This is a really odd problem, and I haven't seen it published anywhere.
Apparently IE handles IPs in URLs as something like (as you might
expect):

 	http://xxx.xxx.xxx.xxx/

But the problem is if I put a %20 in the IP address like this, it will
still render (assuming I am under 16 charachters between the slashes):

 	http://x.x.x.x%20/

It is looking for 16 charachters. I have a feeling the %20 is ignored
because IE felt that it is easy to fat-finger URLs or cut and paste
incorrectly and accidentally add in a space which otherwise would cause
issues. (In all cases I tested it was 16 charachters max except one... I
have one computer that allows me to put in as much data as I want, but I
haven't been able to duplicate that on any other machine I have tested -
if you can tell me how to increase the alloted space, there are more
holes here, but I can't replicate them so I won't go into it).  This is
tested on IE 6.0 SP1 and SP2.  Where this becomes a problem is in the
case of a short URL you can put in some data here, like so:

 	http://x.x.x.x%20a.com/

Further, if the real IP address is on a server that can handle this (IIS
doesn't know how to handle it in all the cases I have tested, but Apache
handles it fine by default) and you have either Earthlink's
FraudEliminator or CoreStreet's SpooofStick, they give incorrect
information.  (Please don't hit this poor guy's IP, he just happened to
have one short enough to test this):

http://www.shocking.com/~rsnake/images/rs/percenttwenty.jpg

To be fair, I am sure I can configure both of these toolbars to be more
useful, but you get the idea.  I'm not sure if it's possible but I have
a feeling if you could put a %20 into a cname it could have very similar
and weird results, although I don't have access to a BIND server to
test this theory.  In the example above, I didn't have a shorter IP, but
if I had I would have substituted "a.it" with "a.com" which would have
changed SpoofStick to be "a.com" and not "184 a.com" as you might
expect (try with a 10.* address to see for yourself).

There is probably more interesting things here, as Apache handles the
header "HTTP_HOST" properly (translates the %20 into a space), but I
would imagine this would have negative side effects on certain
applications that need that data.  Anyway...

Special thanks to Id - he helped me find a suitable IP to test this.

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is 
expressly prohibited and may be unlawful.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ