lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1AC6834C-2B73-11D8-B33A-000A959D1CB2@iisc.com>
Date: Wed, 10 Dec 2003 19:43:57 -0500
From: Charles Richmond <cmr@...c.com>
To: Andreas Plesner Jacobsen <apj@...t.dk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Internet Explorer URL parsing vulnerability


Using the POC at http://www.zapthedingbat.com/security/ex01/vun1.htm

The following do NOT have the vulnerability.

MacOSX 10.2.28 	Mozilla Firebird 0.6		NOT vulnerability
MacOSX 10.2.28 	Mozilla Firebird 0.7.1 		NOT vulnerability
MacOSX 10.2.28 	IE 5.2.2 (5010.1)			NOT vulnerability
MacOSX 10.2.28 	IE 5.2.3 (5815.1)			NOT vulnerability

With both Firebird and IE the following is the same result. The
line below is a cut/paste.

http://www.microsoft.com%01@...thedingbat.com/security/ex01/vun2.htm

Someone have a different test site?

Bugtraq seems to be holding my posts lately so if you don't see this
please relay it to the list.

On Wednesday, December 10, 2003, at 02:26  PM, Andreas Plesner Jacobsen 
wrote:

> On Wed, Dec 10, 2003 at 12:13:57AM +0000, Pedro Castro wrote:
>>>> From: <bugtraq@...thedingbat.com>
>>>> To: bugtraq@...urityfocus.com
>>>> Subject: Internet Explorer URL parsing vulnerability
>>>>
>>>> Internet Explorer URL parsing vulnerability
>>>> Vendor Notified 09 December, 2003
>>>>
>>>> # Vulnerability ##########
>>>> There is a flaw in the way that Internet Explorer displays URLs in
>>>> the address bar.
>>>>
>>>> By opening a specially crafted URL an attacker can open a page that
>>>> appears to be from a different domain from the current location.
>>>>
>>> This exploit also applies to the Macintosh version of Explorer
>>> v5.2.3(5815.1)
>>
>> It does also apply to Mozilla Firebird 0.7.
>
> Not the Linux edition, perhaps only on Windows?
>
> -- 
> Andreas Plesner Jacobsen | Owe no man any thing...
>                          |         	-- Romans 13:8
>
>

    Charles Richmond    Implemented Integrated Systems Corporation
       cmr@...c.com   cmr@....org   YIM:cmriisc   http://www.iisc.com
    O/S, I18N, Systems Development, Process and Integration Providers
             131 Bishop's Forest Drive , Waltham , Ma. USA 02452
       (781) 647 2246   FAX (781) 647 3665   Cellular (781) 389 9777

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ