From: Donovan Bernauer (donovanDONOVANB.COM)
Date: Wed Dec 10 2003 - 14:06:07 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Normal c strings terminate at the first NULL char. This is the way IE reads
the current address when it writes to the address bar.

When using a browser shell, the shell uses COM and B-strings to get the info
from IE, and this properly handles the NULL char.

If you folks right-click the web page in question,

http://www.zapthedingbat.com/security/ex01/vun1.htm

And select 'properties', you'll see the correct address is really known by
IE - it's just the presentation code for the address bar that's goofed.

Donovan Bernauer

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM] On Behalf Of Martin Christopher
Sent: Wednesday, December 10, 2003 7:08 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: IE URL obfuscation

This appears to be another case of 'Vanilla' IE implementations being
vulnerable to the 'ploit, but browsers with extensions / additions being
immune.

I am running the SlimBrowser enhancements for IE and it showed the url up
as:
http://www.microsoft.com zapthedingbat.com/security/ex01/vun2.htm (exactly
as shown)

I would hypothesize that the results of this test are related to the
character sets installed on your machine / browser.

Martin Christopher
Microsoft Systems
Easynet Ltd

*/ The clock it ticking
   and from now on we are keeping score /*

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]