NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2002-09

From: Liu Die Yu (liudieyuinchina_at_yahoo.com.cn)
Date: Tue Sep 03 2002 - 07:49:20 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) it's about cross-site scripting at MSIEv6 client side using % encoding,
but not the same as the one by PeaceFire.org which doesn't work on my PC.

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}

[demo]
at
http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
or
clik.to/liudieyu ==> 2FforMSIE-MyPage section.

[exp]
%?? in URL is decoded when IE caculates the domain, but not decoded while
downloading a page.
so
[CODE.URL]clik.to/liudieyu">http://www.yahoo.com%2Fclik.to/liudieyu
( 2F=hex$(asc('/')) )
leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it
www.yahoo.com for IE

Very simple, that's all.

[contact]
liudieyuinchinayahoo.com.cn

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]