MSIEv6 % encoding causes a problem again

2002-09-04T00:00:00
ID SECURITYVULNS:DOC:3451
Type securityvulns
Reporter Securityvulns
Modified 2002-09-04T00:00:00

Description

it's about cross-site scripting at MSIEv6 client side using % encoding, but not the same as the one by PeaceFire.org which doesn't work on my PC.

[tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000}

[demo] at http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm or clik.to/liudieyu ==> 2FforMSIE-MyPage section.

[exp] %?? in URL is decoded when IE caculates the domain, but not decoded while downloading a page. so [CODE.URL]http://www.yahoo.com%2F@clik.to/liudieyu ( 2F=hex$(asc('/')) ) leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it www.yahoo.com for IE

Very simple, that's all.

[contact] liudieyuinchina@yahoo.com.cn