> From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] > Hi Thor, > Doesn't the following have similar implications to the issue in your > TL#002 advisory?? Hi Nick, close but no cigar - yet. In its current state, this % encoding issue cannot escape protocol boundaries, which means that it cannot go from the Internet Zone to the My Computer Zone and execute commands or read local files. It can, however, do arbitrary cross domain scripting on any site in its current protocol, which means that you can steal cookies and read/change arbitrary content from foreign sites. If you e.g. have an HTTPS site yourself, you can read/change the content for any other HTTPS site dispalyed to the user - change the login form actions, read the users bank accounts, etc. The issue is not so much with escaped versions of / or \, but with escaping of characters in itself. When actually retrieving the content, IE looks at the escaped version of your URI and fetches your malicious code from brinkster.com (escaping the yahoo.com part makes it part of Basic Authentication). When it later needs to check cross domain security settings and see whether the 2 windows may communicate, it looks at the unescaped version of your URI - which by now is a reference to yahoo.com instead of brinkster.com, with the Basich Authentication being part of the filename. Regards Thor
