lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 13 Jun 2011 12:19:43 -0400
From: Valdis.Kletnieks@...edu
To: secn3t@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: POC for a simple gmail/possible code
	injection into html wich can be executed in an email,
	i will make the PoC code and explain how here and now...

On Sun, 12 Jun 2011 11:33:17 +1000, -= Glowing Doom =- said:

> This code is not what shows up when it is dissected.
> It shows up with many x41 all over the email when it is done properly .

Part of the problem is that your original PoC mail didn't in fact have x41s all
over the place.  Your original e-mail showed up as a multipart/alternative. In
the text/plain part, it had:

PoC1.
Ok, this is a PoC , this actual whole sentence...<http://www.lemonparty.biz>

And in the text/html part, it had (quoted-printable and all):

one, you can make the whole email, a url... i will do this right now..<br><=
br><br>PoC1.<br><a href=3D"http://www.lemonparty.biz">Ok, this is a PoC , t=
his actual whole sentence...</a><br><br><br>PoC 2:<br><br><a href=3D"http:/=
/www.goggle.com">I wrote that sentecne, then, i backspaced it and blacked i=
t over with copy , then, enter url to wherver i want...There is 3 ways i ha=
ve found todo this, when i dissected one of them, the URL/Sentence, was gfu=
ll of x41\x41\x41 , very strange... because it is still able to be done 3 w=

All of which makes it rather hard to figure out what you're talking about.  All
anybody sees is perfectly normal HTML anchor text, which is a *feature* that's
probably older than many readers of this list. ;)

See page 4 of the *original* HTML spec from 1993:

http://www.w3.org/MarkUp/draft-ietf-iiir-html-01.txt

which includes the text:

                   Item one has an
                  <A NAME="anchor">
                   anchor
                  </A>



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ