cbcvebase.
CVE-2003-1025
published 2004-01-20

CVE-2003-1025: Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of…

PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
26.91%
97.8th percentile
Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com%C0%AFfake_path%C0%AFfake_filename%C0%AEhtml%C0%[email protected]/
urlftp://ftp.example.com%C0%AFpub%C0%AFopera%C0%AFwin%C0%AF723%C0%AFen%C0%AFstd%C0%AFow32enen723%C0%AEexe%C0%80:password@malicious_server/ow32enen723.exe
  • Detect URLs containing a '%01' (hex 0x01) character before an '@' symbol in the user@domain portion, which is the core obfuscation technique for CVE-2003-1025 in Internet Explorer 5.01–6 SP1.
  • Detect URLs containing the UTF-8 overlong encoding sequence '%C0%AF' (used as a path separator) combined with '%C0%80' (NULL) before an '@' symbol, indicating the Opera-variant URI obfuscation technique.
  • Flag HTML pages containing anchor href values that embed a '%01@' or '%C0%80@' pattern, as these are generated by exploit tooling to create phishing/spoofing pages targeting IE and Mozilla users.
  • ·The spoofed domain shown in the address bar is the portion before '%01@', while the actual destination is the domain after '@'. Detection logic must parse both sides of the '@' in a URL to identify the true destination versus the displayed domain.
  • ·The Opera variant uses overlong UTF-8 sequences (%C0%AF as '/', %C0%AE as '.', %C0%80 as NULL) rather than %01, requiring separate detection signatures from the IE/Mozilla variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.