Yet another Inter­net Explorer exploit has been dis­covered. This one is ripe for many of the phish­ing scams that have been going around.

Secunia have a good, detailed advis­ory.

The vul­ner­ab­il­ity is caused due to an input val­id­a­tion error, which can be exploited by includ­ing the “%01″ URL encoded rep­res­ent­a­tion after the user­name and right before the “@” char­ac­ter in an URL.
Suc­cess­ful exploit­a­tion allows a mali­cious per­son to dis­play an arbit­rary FQDN (Fully Qual­i­fied Domain Name) in the address bar, which is dif­fer­ent from the actual loc­a­tion of the page.

Steve Minutillo has an example. Andy at absob­log­gin­lutely has another example.

Remem­ber, these only ‘work’ as inten­ded in Inter­net Explorer.

It looks like Seyed has finally thrown in the towel. BlogShares has offi­cially closed down.

I am sorry to announce that BlogShares will not be reopen­ing after the cur­rent tech­nical dif­fi­culties are resolved. Cur­rently, the data­base server is dead and looks to be for the next few days.

It was fun while it las­ted. But as Seyed him­self says there has been a decline of qual­ity ser­vice, new fea­tures and ulti­mately income for the site in the last couple of months.

I’m glad to have been part of it from quite early on (I was mem­ber num­ber 341, joined at the end of March).