Another IE security Issue

Yet another Internet Explorer exploit has been discovered. This one is ripe for many of the phishing scams that have been going around.

Secunia have a good, detailed advisory.

The vulnerability is caused due to an input validation error, which can be exploited by including the “%01” URL encoded representation after the username and right before the “@” character in an URL.
Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address bar, which is different from the actual location of the page.

Steve Minutillo has an example. Andy at absoblogginlutely has another example.

Remember, these only ‘work’ as intended in Internet Explorer.

4 thoughts on “Another IE security Issue

  1. I would say it is absolutely an error. Because it does not show the rest of the url. In other places IE will show that character as a little square. In this case Mozilla etc. do exactly that. IE truncates the URL at that point.

Comments are closed.