| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: exibar at thelair.com (Exibar) Subject: Re: Internet Explorer URL parsing vulnerability Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the httpS that's throwing it.. ----- Original Message ----- From: "Rui Pereira" <ruiper@...w.ca> To: "'Exibar'" <exibar@...lair.com> Cc: <full-disclosure@...ts.netsys.com> Sent: Wednesday, December 10, 2003 12:13 PM Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability > Er, on IE6.0.2800.1106.xpsp2....this shows up as > https://www.let_me_steal_your_money.com/ in the address line. Guess it > don't work as advertised. Maybe we should all upgrade? ;) > > R > > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Exibar > Sent: December 10, 2003 7:55 AM > To: Feher Tamas; full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > I can see many people getting duped with this: > > https://www.paypal.com%01@....let_me_steal_your_money.com > > so I completely know where you're coming from. > > exibar > > > ----- Original Message ----- > From: "Feher Tamas" <etomcat@...email.hu> > To: <full-disclosure@...ts.netsys.com> > Sent: Wednesday, December 10, 2003 3:23 AM > Subject: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > > > >Proof-of-Concept here: > > >http://www.zapthedingbat.com/security/ex01/vun1.htm > > > > > >Vendor Notified 09 December, 2003 > > > > Unless the bug has already been exploited by malicious people, it was > > a highly irresponsible act to disclose it to the public, without > giving > > Microsoft a reasonable timeframe to produce a fix. It may even qualify > > as a crime! > > > > Considering the simplicity of this URL faking trick, it will be > certainly > see > > active use by scammers during this Christmas shopping season and > > thousands of people will be robbed of their online banking accounts, > > etc. The money will boost organized crime and the whole society will > > suffer. A patch would give customers at least a theoretical chance to > > protect themselves and the community. > > > > I certainly would not object to ZapDingbat getting sued for a few > billion > > bucks by M$ or the US Gov't sending him to a long recreation at > > Guantanamo Bay. People like him discredit security research like > > nothing else and his acts contribute towards legislation that will > curb > > people's right to investigate code. > > > > Regards: Tamas Feher. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > >
Powered by blists - more mailing lists