[Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
nick at virus-l.demon.co.uk
Fri Dec 12 11:08:31 GMT 2003
jbruce at unitedscience.com wrote:
> Using internet explorer, you can also put http://firstname.lastname@example.org
> and that will take you to google. It only matters what you put after the
> @ sign. I noticed that one day while putting in my email address in for
And not _just_ in IE.
What you have described is, in fact, more or less the "expected
behaviour" of a web browser given the input you described and RFC 2396.
Surely to comment in such a thread you have read the RFC that defines
the format of URIs:
Search for "userinfo".
I'll repeat my earlier suggestion that I'm sure it would be greatly
appreciated all round if only moderately clueful responses were posted
in this thread...
Full-Disclosure is hosted and sponsored by Secunia.