would be funny, but it didn't work for me.

Maybe there was already a patch for it?

Including this "
"? Or, is that one of 'dem 'der WebmasterWorld ideosinkracies?

Pendanticist.

The strange character is actually either %01 or %00, and the bug can be used to display a fake FQDN. Note, you have to unescape the URL to make this work. Try something like this:

<script type="text/javascript">

document.write(unescape('http://www.google.com%01@www.yahoo.com'));

</script>

There are a ton of articles covering this.

[edited by: encyclo at 10:13 pm (utc) on Dec. 15, 2003]

would be funny, but it didn't work for me.

I don't why, it worked for me (include a "
", its not a 'dem 'der WebmasterWorld ideosinkracies!)
oh great , look at us, we are all trying to make this bug work! ;)

Sid

I got the yahoo page with "http://www.msn.com
@www.yahoo.com/" in the address bar.

The browser treats "www.msn.com" as a user name. Presumably, what you see will depend upon browser type/browser settings, and may be, for all I know, adjustable by the user.

A. The original [msn.com
@www.yahoo.com...] did work for me with MSN in the address bar.

B. Not so sure why all of those examples are funny -? Funny in that it's a joke, or is pulling something over one someone? Weird, maybe. Maybe funny if you place such a link on your site and people believe they are going to a competing site but get a crap site instead? Some will see through it, others will think "gee, his link is not working right" and they will assume you've messed up. I would....

C. I suspect it's not so much a bug as the side effect of a feature - the ability to go to protected sites, or FTP addresses using a string with your name and password piped in. In other words, I can access a protected site simply by typing in the string with the address, my user ID and my password. This seems to be similar.......

Shadows Papa

This is a spammers trick that's been doing the rounds for a while - The user clicks on a paypal link, gets taken to a scam site but the address bar still shows paypal.

True, it's a spammers twisted trick, I'd call them more theives, not so much spammers. Con artists.
On the other hand, I don't follow links embedded in email messages, being a computer security and anti-virus person, I should know better.
Simply don't trust anything that claims to be sent by paypal, ebay, etc as they just plain don't send such email.
I can't believe, well, maybe I DO believe it - that so many people will actually click and follow such links, or even bother to read or open such a message. They get the bit-bucket treatment here. To think that people will actually enter their user info and credit card info just because an email told them to do so. Gee.
Unless it's something I've signed up for, and I can verify the header info of the message, or, if it's HTML, I'll view the code first maybe, I just trash it. I know that NO reputable company will ever ask ME for such information and rarely would they send me an email with a link in it.

This is all also another reason to NOT use IE. Firebird showed the entire link string, with Yahoo's fav icon. IE is the most unsecure browser ever created. That's because they try to be all things to all people.

Shadows Papa

This syntax has been available since at least Netscape 3 and probably before - at least for FTP connections:

ftp://username:password@domain.name/path/to/directory

The "bug" seems to be a typical M$ attempt to 'stupify' the interface by hiding the username:password details from the user.

Not so sure why all of those examples are funny -?

lol, read the message title.

Sid

>the "bug" seems to be a typical M$ attempt to 'stupify' the interface

Yes, I got the effect described when I used IE. Yet another reason to stick to Opera - where I don't get the effect - I suppose.

There's an open source patch for this: http*//security.openwares.org/.

Wow, nice find photon :) the bug is now *fixed*

Sid

There's an open source patch for this: http*//security.openwares.org/

AAArrrggghh! This "patch" has been called a trojan elsewhere, and apparently includes at least one buffer overrun itself. Here's a hint - never apply "fixes" from untrusted sources. IE needs to be fixed by Microsoft, not by some unknown company with an unknown agenda.

Actually it's not a trojan. It phones home only the urls which are of this syntax, so for general surfing there is no data sent. As for the buffer underrun, I don't know about that. You can find out more from the slashdot article about the same.

hehe, M$ will issue a fix, if it feels like it, next month - in the mean time - enjoy the bug :-)

(or use a real browser - Opera ;-)

Actually it's not a trojan. It phones home only the urls which are of this syntax, so for general surfing there is no data sent.

I think my point still stands - the fact that users are happy to install any old patch or program from any old source is why spyware, scumware, viruses and trojans are so widespread. How much expertise does this company have in how IE works, seeing that IE is a firmly closed-source product? How can they be sure that it won't break other programs? Even if they are acting in pure good faith, they are very unlikely to have the capacity to produce a good patch. IE can only be patched by Microsoft because only Microsoft has the source code. As for the "phoning home", I would consider that to be underhand - perhaps not a trojan, but certainly scumware or adware.

If you want a decent, fully verified, quality patch for this bug, try one [mozilla.org] of [opera.com] these [mozilla.org].

also see this thread [webmasterworld.com] (pre-dates this one by 4 days)

As with any patch--including those from Microsoft--install at your own risk.

encyclo, I'm already using Opera and Firebird as my main browsers. I offered the address because I thought that it would interest the folks around here, most of whom I believe have enough experience to make an informed decision to use it or not.

The 3rd party patch has some serious issues and is being withdrawn [internetnews.com]. (Also see here [theregister.co.uk])

It's got a buffer overflow vunerability, memory leak problems, and a "liveupdate" backdoor that people didn't notice at first. Not a good thing and I hate how this only encourages long delays by Microsoft.

I simply can't believe anyone would even consider putting such a patch on their computer. May or may not make it better now, but what could it do to future releases or patches by MS?
No real computer tech would even consider such a thing.

Anything other than a genuine patch by the real supplier of original software should ever be applied. And only after much testing!

(and such a patch isn't needed if folks don't blindly click links in email or pages they can't trust 100%)

Shadows Papa
(former IT Analyst/computer anti-virus and security manager)

Someone called this what it is earlier in the thread but no on seems to have noticed :-)

It's not a bug!

The @ in the url tells the browser (ANY browser) that you're trying to access a site that requires a username:password combination.

Once access has been granted, IE will no longer display the username:password as part of the url. This is in intentional feature that was added for the same reason that a password field displays *s instead of the real password.

It's not a bug!

The @ in the url tells the browser (ANY browser) that you're trying to access a site that requires a username:password combination.

You simply don't understand the bug. Sure, the @ in URLs is used for specifying user names and passwords (although no, it doesn't work in all browsers).

The bug is that if you include a null character "%00" in a URL, then everything after the null character will be hidden away and never shown to the user.

So this:
[microsoft.com%00@www.kernel.org ]

Will open up kernel.org but only display "http://www.microsoft.com" in the address bar for IE.

So this:
[microsoft.com%00@www.kernel.org...]

Will open up kernel.org but only display "http://www.microsoft.com" in the address bar for IE.

This is what I get, for the link you specified:
kernel.org in the address bar, as well as the homepage displaying of kernel.org but In the status bar, I get:

Opening [microsoft.com...]
(3 items remaining) Downloading picture [microsoft.com<...]

The URL and the content/page that appears is kernel.org.

Its not a bug!

Then what is it? Is it a feature in *all* browsers, especially made for Spamming?
I do agree, this does work in every browser (I tried it in Opera, Netscape, Mozlla and IE). Lets just wait for MS to release a patch, but wait, this bug is getting applied in every browser! Who should we trust?

Sid

Opera will pop up a secutiry warning that you're about to go to a site using a username and password. Once you click okay, the entire url is shown, not just the www.fakedomain.com.

Firebird gives no warning, but does show the entire url.

Toby... When I click the link you posted I get:

[kernel.org...]

As expected. I get it in the address bar and I get kernel.org's content. I'm using IE6 SP1, the most commonly used version of IE. I haven't downloaded a patch or update in at least a month.