I am not sure the intended point of the exploit since you have @roguehost and not a proper POC, but I believe all you have triggered is normal behavior for auto logging into .htaccess protected folders in the form <a href="mailto:username:password@host.com">username:password@host.com</a><br>
<br><a href="http://forum.sambarserver.info/viewtopic.php?p=288">http://forum.sambarserver.info/viewtopic.php?p=288</a><br><a href="http://www.freewebmasterhelp.com/tutorials/htaccess/3">http://www.freewebmasterhelp.com/tutorials/htaccess/3</a><br>
<br>I did it with <a href="http://google.com">google.com</a> and @<a href="http://mail.yahoo.com">mail.yahoo.com</a> and it tried to log me into <a href="http://mail.yahoo.com">mail.yahoo.com</a> with google.... as my username as expected<br>
<br><div class="gmail_quote">On Feb 4, 2008 2:10 PM, carl hardwick <<a href="mailto:hardwick.carl@gmail.com">hardwick.carl@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Firefox seems to have trouble with defining the proper hostname when<br>requesting a ssl connection. I was able to trick Firefox in thinking<br>the hostname behind the at-sign is legit and the same as the URI that<br>requested an ssl connection, and this without a warning.<br>
<br>PoC: <a href="https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@roguehost.com" target="_blank">https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@roguehost.com</a><br><br>You can add as much garbage between .com and the @ sign.<br><br>
So what else can we do?<br><br>PoC:<br>www.cnn.com%C0%AF%C0%AF%C0%C0%80@google<br>www.gmail.com%C0%AF%C0%AF%C0%C0%80@hotmail<br><br>ah heck we don't need that at all:<br>www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@hotmail<br>
<br>works fine also :)<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>