lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 12 Dec 2003 15:30:26 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: Secunia Advisory: URL Spoofing




While Secunia is doing a fantastic job [truly] of compiling 
advisories as soon as issues are discovered by others, they do need 
to make it absolutely clear to the media that they appear to have to 
talk to and in the information that they release just who found 
these flaws.

This particular url spoofing issue is being diluted across the major 
wires as follows [there are several others as well]:

'The Web browser flaw, discovered Tuesday by Danish tech security 
firm Secunia, could trigger a surge in an e-mail scam, called 
phishing, security experts say.' 

http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm

'Secunia says it has found an "input validation" error in Internet 
Explorer. By exploiting this vulnerability, known as a URL-spoofing 
vulnerability, attackers can display any URL name they wish in the 
address and status bars of IE.'

http://www.internetwk.com/breakingNews/showArticle.jhtml?
articleID=16700306

'Secunia, a company that provides security services worldwide, 
claims to have found a vulnerability in Internet Explorer 6 that 
would allow domain names to be spoofed. The result would make it 
appear that a user were connecting to one domain when, in reality, 
he or she was communicating with a completely different domain. If 
done properly, an attacker could fool a user into inputting 
sensitive or private information.'

http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm

There is a tiny credit notation at the end of each of the so-called 
Secunia 'advisories' on secunia.com but that is proving to be 
insufficient.

Initial reporting was accurate in crediting: Zap The Dingbat, who 
found this. Let's not have the excitement of the moment get in the 
way of the facts.:

http://www.zapthedingbat.com/security/ex01/vun1.htm


-- 
http://www.malware.com

Powered by blists - more mailing lists