[Mimedefang] Browser Bug: Very bad in IE and varies on Netscapeand Mozilla

Kevin A. McGrail kmcgrail at pccc.com
Sat Dec 20 21:56:48 EST 2003


I can tell you that this does work:

<A HREF=http://paypal.com%00@test.com>test</a>

What else might work, couldn't tell you.  My theory without seeing code is
that it's a null terminated string issue since %00 should decode to a Null
char code.  So a real null char should work on any system capable of
receiving an 8-bit character in an email.

BTW, I actually haven't seen %01 work but figured it doesn't hurt to check.

KAM

> I thought the exploit didn't use encoded non-printables, but depended on
> "real" non-printables. The message body would contain a non-printing
> character (NUL and Ctrl-A are just the ones used in the examples)
> immediately after the fake part of the URI and IE doesn't display the rest
> of the actual URI.



More information about the MIMEDefang mailing list