Re: [Evolution-hackers] Security Bug in HTML

From: guenther <guenther rudersport de>
To: Iñigo Serna <inigoserna terra es>
Cc: evolution-hackers ximian com
Subject: Re: [Evolution-hackers] Security Bug in HTML
Date: Sun, 11 Jan 2004 18:07:50 +0100

> do you remember last security bug in Internet Explorer?

This is *totally* unrelated.


> urls like "http://url1 %01   %01@url2/path" are shown as url1 while link
> is relative to url2 site.

The issue in IE is, those %01 strings can confuse IE and let it
*display* another URL (in the statusbar, when the mouse is over the
link) as it actually is requesting when the link is clicked.


> The attached message shows same bug in my Evolution-1.4.5 +
> GtkHTML-3.0.9.

As Evolution 1.4.x does *not* show the target URL while the mouse is
over the link, this is not related.

Evolution 1.5.x does show the target URL. So this can only apply to
1.5.x and later versions. Check the statusbar of 1.5.x versions, if the
*displayed* URL matches the *target* URL.


> Is it solved or must I open a bugzilla entry?

Check it against 1.5.x. Cannot comment without this.


This is the link in your attached message (copied from source):

<a href=3D"http://www2.bancopopular.es%01%01%01%01%01%01%01%01%01%01%01%01%=
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%=
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%=
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%=
01 %77%77%77%2E%6E%65%77%6D%6F%6E%63%2E%63%6F%6D:%38%30/%67%62/%73%65%72%76=
%69%6E%2E%70%68%70">https://www2.bancopopular.es/AppBPE/servlet/servin?p_pm=
=3Dbo&p_pf=3Dc&p_id=3Desp</a>


What you just where referring to in your OP, is a widespread method to
only fool braindead users -- or users who do not see the target URL at
all (sic, Evolution <= 1.4.x).

This is similar to <a href="http://evil.site.com";>saint</a>, where the
user only will see the text "saint" *inside* the message. This is just
plain HTML and *must* be this way. Anything else would be dead wrong.


Any sensitive Browser and Mailer will show the target link in the
statusbar, while the mouse is over the link.

Evolution 1.4.x does not do this. Evolution 1.5.x does it, but I don't
know if it may fail. IE does show it, but it *decodes* the target URL
and may display only parts of it when certain strings (like the %01) are
a part of the target URL (the href value).


Hope, this explained the issue. We still do not know how Evolution 1.5.x
will actually *display* the target URL in the status bar when handling
your attached message.

...guenther


-- 
char *t="\10pse\0r\0dtu\0  ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Follow-Ups:
- Re: [Evolution-hackers] Security Bug in HTML
  - From: Rodney Dawes

References:
- [Evolution-hackers] Security Bug in HTML
  - From: Iñigo Serna

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]