CVE-2003-1025
published 2004-01-20CVE-2003-1025: Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
26.91%
97.8th percentile
Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlftp://ftp.example.com%C0%AFpub%C0%AFopera%C0%AFwin%C0%AF723%C0%AFen%C0%AFstd%C0%AFow32enen723%C0%AEexe%C0%80:password@malicious_server/ow32enen723.exe↗
- →Detect URLs containing a '%01' (hex 0x01) character before an '@' symbol in the user@domain portion, which is the core obfuscation technique for CVE-2003-1025 in Internet Explorer 5.01–6 SP1. ↗
- →Detect URLs containing the UTF-8 overlong encoding sequence '%C0%AF' (used as a path separator) combined with '%C0%80' (NULL) before an '@' symbol, indicating the Opera-variant URI obfuscation technique. ↗
- →Flag HTML pages containing anchor href values that embed a '%01@' or '%C0%80@' pattern, as these are generated by exploit tooling to create phishing/spoofing pages targeting IE and Mozilla users. ↗
- ·The spoofed domain shown in the address bar is the portion before '%01@', while the actual destination is the domain after '@'. Detection logic must parse both sides of the '@' in a URL to identify the true destination versus the displayed domain. ↗
- ·The Opera variant uses overlong UTF-8 sequences (%C0%AF as '/', %C0%AE as '.', %C0%80 as NULL) rather than %01, requiring separate detection signatures from the IE/Mozilla variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wjcf-x5xh-gf27: Visual truncation vulnerability in Microsoft Internet Explorer 6 allows remote attackers to spoof the address bar via a URL with a hostname containing
ghsa_unreviewed·2022-05-14·CVSS 4.3
CVE-2008-4787 [MEDIUM] GHSA-wjcf-x5xh-gf27: Visual truncation vulnerability in Microsoft Internet Explorer 6 allows remote attackers to spoof the address bar via a URL with a hostname containing
Visual truncation vulnerability in Microsoft Internet Explorer 6 allows remote attackers to spoof the address bar via a URL with a hostname containing many (Non-Blocking Space character) sequences, which are rendered as whitespace, aka MSRC ticket MSRC7899, a related issue to CVE-2003-1025.
GHSA
GHSA-crf3-j64w-gfx8: Internet Explorer 5
ghsa_unreviewed·2022-04-29
CVE-2003-1025 [MEDIUM] CWE-20 GHSA-crf3-j64w-gfx8: Internet Explorer 5
Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."
No detection rules found.
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Net::DNS::Nameserver;
use IO::Socket;
use Net::RawIP;
sub usage {
print ("$0 is a program for DNS id spoofing.\n");
print ("usage: $0 target tospoof ourzone port\n");
print ("Example: $0 ns1.belbone.be www.hotmail.com .cache-poisoning.net 1025\n");
}
my($target, $tospoof, $ourzone, $query_port) = @ARGV;
$tospoof = "www.hotmail.com" unless($tospoof);
$ourzone = ".cache-poiso
Exploit-DB
Opera Browser 6.0 6 - URI Display Obfuscation
exploitdb·2003-12-23
CVE-2003-1025 Opera Browser 6.0 6 - URI Display Obfuscation
Opera Browser 6.0 6 - URI Display Obfuscation
---
source: https://www.securityfocus.com/bid/9281/info
A weakness has been reported in Opera that may allow attackers to obfuscate the URI for a visited page. The problem is said to occur when a URI that is designed to access a specific location with a supplied username, contains a specially crafted sequence of characters. These characters will be interpreted as a NULL due to UTF-8 encoding. This sequence may be placed as part of the username value prior to the @ symbol in the malicious URI to aid in obfuscating the URI for a visited page.
An attacker could exploit this issue by supplying a malicious URI pointing to a page designed to mimic that of a trusted site, and tricking a victim who follows a link into believing they are actually at
Exploit-DB
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
exploitdb·2003-12-09
CVE-2003-1025 Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
---
source: https://www.securityfocus.com/bid/9182/info
A weakness has been reported in multiple browsers that may allow attackers to obfuscate the URI for a visited page. The problem is said to occur when a URI designed to pass access a specific location with a supplied username, contains a hexadecimal 1 value prior to the @ symbol.
An attacker could exploit this issue by supplying a malicious URI pointing to a page designed to mimic that of a trusted site, and tricking a victim who follows a link into believing they are actually at the trusted location.
On Error Resume Next
PromtStart = "Do you want to create a web page to exploit Internet Explorer 5.01, 5.5 and 6.0 on Windows" _
& " platforms?" & vbcrlf
Exploit-DB
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
exploitdb·2003-12-09
CVE-2003-1025 Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
---
source: https://www.securityfocus.com/bid/9182/info
A weakness has been reported in multiple browsers that may allow attackers to obfuscate the URI for a visited page. The problem is said to occur when a URI designed to pass access a specific location with a supplied username, contains a hexadecimal 1 value prior to the @ symbol.
An attacker could exploit this issue by supplying a malicious URI pointing to a page designed to mimic that of a trusted site, and tricking a victim who follows a link into believing they are actually at the trusted location.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23423.zip
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/652278http://www.securityfocus.com/archive/1/346948http://www.us-cert.gov/cas/techalerts/TA04-033A.htmlhttp://www.zapthedingbat.com/security/ex01/vun1.htmhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-004https://exchange.xforce.ibmcloud.com/vulnerabilities/13935https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A490https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A491https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A510https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A511https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A512https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A513https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A526http://www.kb.cert.org/vuls/id/652278http://www.securityfocus.com/archive/1/346948http://www.us-cert.gov/cas/techalerts/TA04-033A.htmlhttp://www.zapthedingbat.com/security/ex01/vun1.htmhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-004https://exchange.xforce.ibmcloud.com/vulnerabilities/13935https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A490https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A491https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A510https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A511https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A512https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A513https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A526
2004-01-20
Published