[Mimedefang] Browser Bug: Very bad in IE and varies on Netscapeand Mozilla
Kevin A. McGrail
kmcgrail at pccc.com
Sat Dec 20 21:56:48 EST 2003
I can tell you that this does work:
<A HREF=http://paypal.com%00@test.com>test</a>
What else might work, couldn't tell you. My theory without seeing code is
that it's a null terminated string issue since %00 should decode to a Null
char code. So a real null char should work on any system capable of
receiving an 8-bit character in an email.
BTW, I actually haven't seen %01 work but figured it doesn't hurt to check.
KAM
> I thought the exploit didn't use encoded non-printables, but depended on
> "real" non-printables. The message body would contain a non-printing
> character (NUL and Ctrl-A are just the ones used in the examples)
> immediately after the fake part of the URI and IE doesn't display the rest
> of the actual URI.
More information about the MIMEDefang
mailing list