No, it doesn't.
From one of the Bugtraq postings:
I don't see this problem with Mozilla Firebird 0.7. It displays the
whole URL including the %01 and everything after the @ symbol.
Will.
Pedro Castro wrote:
> It does also apply to Mozilla Firebird 0.7.
>
>
>
> John W. Noerenberg II wrote:
>
>> This exploit also applies to the Macintosh version of Explorer
>> v5.2.3(5815.1)
>>
>>> From:
>>> To: bugtraq@securityfocus.com
>>> Subject: Internet Explorer URL parsing vulnerability
>>>
>>>
>>>
>>> Internet Explorer URL parsing vulnerability
>>> Vendor Notified 09 December, 2003
>>>
>>> # Vulnerability ##########
>>> There is a flaw in the way that Internet Explorer displays URLs in
>>> the address bar.
>>>
>>> By opening a specially crafted URL an attacker can open a page that
>>> appears to be from a different domain from the current location.
>>>
>>> # Exploit ##########
>>> By opening a window using the http://user@domain nomenclature an
>>> attacker can hide the real location of the page by including a 0x01
>>> character after the "@" character.
>>> Internet Explorer doesn't display the rest of the URL making the page
>>> appear to be at a different domain.
>>>
>>> # POC ##########
>>> http://www.zapthedingbat.com/security/ex01/vun1.ht m
>>>
>>> # Tested ##########
>>> Internet Explorer
>>> Version 6.0.2800.1106C0
>>> Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145
>>>
>>> # Credit ##########
>>> Zap The Dingbat
>>> http://www.zapthedingbat.com/
Slashdot Mirror
No, it doesn't. From one of the Bugtraq postings: I don't see this problem with Mozilla Firebird 0.7. It displays the whole URL including the %01 and everything after the @ symbol. Will. Pedro Castro wrote: > It does also apply to Mozilla Firebird 0.7. > > > > John W. Noerenberg II wrote: > >> This exploit also applies to the Macintosh version of Explorer >> v5.2.3(5815.1) >> >>> From: >>> To: bugtraq@securityfocus.com >>> Subject: Internet Explorer URL parsing vulnerability >>> >>> >>> >>> Internet Explorer URL parsing vulnerability >>> Vendor Notified 09 December, 2003 >>> >>> # Vulnerability ########## >>> There is a flaw in the way that Internet Explorer displays URLs in >>> the address bar. >>> >>> By opening a specially crafted URL an attacker can open a page that >>> appears to be from a different domain from the current location. >>> >>> # Exploit ########## >>> By opening a window using the http://user@domain nomenclature an >>> attacker can hide the real location of the page by including a 0x01 >>> character after the "@" character. >>> Internet Explorer doesn't display the rest of the URL making the page >>> appear to be at a different domain. >>> >>> # POC ########## >>> http://www.zapthedingbat.com/security/ex01/vun1.ht m
>>>
>>> # Tested ##########
>>> Internet Explorer
>>> Version 6.0.2800.1106C0
>>> Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145
>>>
>>> # Credit ##########
>>> Zap The Dingbat
>>> http://www.zapthedingbat.com/