New embarrasing bug discovered in IE

[Xeen]

A new flaw has been found in Microshit's Internet Explorer.

Generally, spoofers lure customers to bogus e-commerce Web sites with the hope of capturing personal information, such as Social Security (news - web sites) and credit-card numbers. A consumer entering www.amazon.com would be redirected to the fake Web site, but "www.amazon.com" would appear in the address bar.

 

quote: The vulnerability is caused by an input validation error, "which can be exploited by including the '%01' URL encoded representation after the username and right before the '@' character in an URL" Secunia explains in its advisory.  

Looks like Microsoft just cant write software. Period.

http://story.news.yahoo.com/news?tmpl=story&ncid=1212&e=5&u=/nf/20031211/tc_nf/22845&sid=95573505

[WMD]

Another one?  Jesus.

It doesn't end, does it?

[Enmity]

Looks like Mozilla ain't immune
http://www.mozillazine.org/talkback.html?article=4078

[Zombie9920]

Ha

[Refalm]

Oh... that's too easy  

It isn't a flaw anyways, and it's not even Internet Explorer or Mozilla's fault.

Example:

http://www.cnn.com%[email protected]:81/dnserror.html

[ December 12, 2003: Message edited by: Refalm ]

[flap]

It is a flaw. The flaw being that the characters after the %01 character aren't displayed in the address bar (in vulnerable browsers).

[ December 12, 2003: Message edited by: flap ]

[WMD]

quote:Originally posted by Enmity:
Looks like Mozilla ain't immune
http://www.mozillazine.org/talkback.html?article=4078

I ran the test in Mozilla 1.5 and I don't have the flaw. \o/