RadicalResearch

CVE-2003-1025

In December 2003 I published details of a vulnerability in Internet Explorer that allowed an attacker to spoof the domain of the URL displayed in the address bar.

The following report is maintained for reference.

Internet Explorer URL parsing vulnerability
Vendor Notified 09 December, 2003
# Vulnerability ##########
There is a flaw in the way that Internet Explorer displays URLs in the address bar.
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.
# Exploit ##########
By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
# POC ##########
http://www.zapthedingbat.com/security/ex01/vun1.htm
# Tested ##########
Internet Explorer
Version 6.0.2800.1106C0
Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145
# Credit ##########
Zap The Dingbat
http://www.zapthedingbat.com/

― Greenhalgh, S. "Internet Explorer URL Parsing Vulnerability." BugTraq. N.p., 9 Dec. 2003. Web. <http://www.securityfocus.com/archive/1/346948>.

Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."

― CVE. "Common Vulnerabilities and Exposures." CVE-2003-1025 . N.p., 6 Apr. 2004. Web. <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1025>.