‘Internet Explorer Handling of %20 Allows Spoofing’

Summary

‘Internet Explorer supports two forms of URI (Universal Resource Identifiers), a full qualified domain name and dotted IP. Whenever Internet Explorer receives the dotted IP form, it will ignore any characters written after an escape space sign (%20). This opens the user to attack has he can be tricked into thinking he is connecting a certain server while in fact he is connected to another.’

Credit:

‘The information has been provided by RSnake.’


Details

Vulnerable Systems:
 * Internet Explorer version 6.0 SP1
 * Internet Explorer version 6.0 SP2
 * Internet Explorer version 5.0
 * Internet Explorer version 5.5

Apparently IE handles IPs in URLs as something like (as you might expect):
 http://xxx.xxx.xxx.xxx/

But the problem is if you put a %20 in the IP address like this, it will still render (assuming I am under 16 charachters between the slashes):
 http://x.x.x.x%20/

It is looking for 16 charachters and ignores anything after the %20 (space). This becomes a problem is in the case of a short URL you can put in some data here, like so:
 http://x.x.x.x%20a.com/

Further, if the real IP address is on a server that can handle this (IIS doesn’t know how to handle it in all the cases I have tested, but Apache handles it fine by default) and you have either Earthlink’s FraudEliminator or CoreStreet’s SpooofStick, they give incorrect information. (Please don’t hit this poor guy’s IP, he just happened to have one short enough to test this):
http://www.shocking.com/~rsnake/images/rs/percenttwenty.jpg

Categories: Windows