lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 1 May 2004 08:18:29 -0700
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: bugtraq@...urityfocus.com
Cc: "E.Kellinis" <me@...her.org.uk>
Subject: RE: IE Certificate Stealing (Phising) bug


> From: E.Kellinis [mailto:me@...her.org.uk] 
> Sent: Friday, April 30, 2004 11:09 AM
> 
> If inside the index page links and forms use virtual 
> pointers to directories or files
> (e.g. images/ or form/submit.php) we can use the trust 
> of the visitor and steal information. 

Those aren't called "virtual pointers to directories or files".  They're
"relative URLs".  It's worth pointing this out because your recommended fix:

> Do not use virtual directories , instead use the real path or url
> Refresh access to the root directory

doesn't make sense as written.  "virtual directories" in this context
commonly refers to URL path segments that are mapped by the HTTP server to
filesystem entities with different names.  Avoiding them doesn't mitigate
this attack.  What you want to recommend here (presumably - I haven't tested
it myself) is using relative URLs as reference values in secure HTML pages.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


Powered by blists - more mailing lists