Check out the html source of this page that explains a new exploit discovered for msie. I can see a lot of people getting pulled by this one, what percentage of web users even know how to ‘view source’, and even if you do you’re not going to check every page you go to.
By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the “@” character.
Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.
Reminds me, I still have to get the anti-string cut stuff working in Seagull.
Thanks to Simon’s weblog for the alert.