lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 26 Jan 2004 15:09:55 -0500
From: Stuart Moore <smoore.bugtraq@...urityglobal.net>
To: Thor Larholm <thor@...x.com>, bugtraq@...urityfocus.com
Subject: Re: Windows XP Explorer Executes Arbitrary Code in Folders


Thor,

>Why don't we call a spade a spade?

You are rather humorous!  But I can be humorous, too:  why don't we call a folder a folder?

Seriously, though, the interesting part is indeed not the self execution and not the HTML 
in Local zone.  The more interesting part is the HTML file as folder.  Considering that 
the typical Microsoft OS user has no clue what a MIME type is (and, for that matter, does 
not know what HTML is, and doesn't know about zones), do you think that having an HTML 
file be announced by the operating system's GUI as a folder is a Good Thing or a Bad 
Thing?  I would suggest that it leans more towards Idiot Engineering (http-equiv's term) 
than Trustworthy Computing (MS term).

Stuart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ