Bugtraq: Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable

From: Dirk Mueller <mueller () kde org>
Date: Sat, 7 Sep 2002 01:07:39 +0200

On Fre, 06 Sep 2002, Piotr Paw?ow wrote:

Test page for Konqueror is at:
http://pp.siedziba.pl/2f/


This is actually not related to the % encoding problem in IE, but a general 
regression that was introduced in KDE 3.0.3 release. 

Below is the fix which has been tested and committed to CVS already. 

Note that this is a fairly minor problem, as the evilhacker can always 
create a subdomain like yahoo.evilhacker.net and proxy the yahoo pages 
there, and all browsers will give access to the frames in this case. 

Note that in any case the "wrong" url is still visible in the location bar 
so it should be obvious that although it looks like yahoo, it isn't 
yahoo at all. 


-- 
Dirk

Attachment: crosside-3.0.diff
Description:

Attachment: _bin
Description:

By Date By Thread

Current thread:

MSIEv6 % encoding causes a problem again Liu Die Yu (Sep 03)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
  - Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
    - Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Piotr Pawłow (Sep 06)
  - Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Dirk Mueller (Sep 06)