On Thursday 11 December 2003 3:07 pm, DB wrote:
> I saw a new IE exploit descibed as follows:
>
> ---------------------
> http://www.secunia.com/advisories/10395/
>
> Example displaying only "http://www.trusted_site.com" in the address bar
> when the real domain is "malicious_site.com":
> http://www.trusted_site.com%01@malicious_site.com/malicious.html
> --------------------
>
> I'm trying to use an acl to prevent access to such urls. I tried this:
>
> acl ieflaw url_regex %01@
>
> and
>
> http_access deny ieflaw
>
> but this doesn't seem to do anything at all
This is a bit of a guess, but you might need to escape one or two of those
characters?
acl ieflaw url_regex \%01\@
should be safe.
Also, from a discussion on another mailing list, I believe the exploit is
still effective:
a) with one or more characters between the %01 and the @ (I don't know if
there's an upper limit to how many can be instered)
b) with certain other non-printable characters in place of the %01
Antony.
--
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the list;
please don't CC me.
Received on Thu Dec 11 2003 - 08:29:13 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:10 MST