[<prev] [next>] [day] [month] [year] [list]
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB01C3BDB6@mtv-corpmail.microfocus.com>
Date: Sat, 1 May 2004 08:18:29 -0700
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: bugtraq@...urityfocus.com
Cc: "E.Kellinis" <me@...her.org.uk>
Subject: RE: IE Certificate Stealing (Phising) bug
> From: E.Kellinis [mailto:me@...her.org.uk]
> Sent: Friday, April 30, 2004 11:09 AM
>
> If inside the index page links and forms use virtual
> pointers to directories or files
> (e.g. images/ or form/submit.php) we can use the trust
> of the visitor and steal information.
Those aren't called "virtual pointers to directories or files". They're
"relative URLs". It's worth pointing this out because your recommended fix:
> Do not use virtual directories , instead use the real path or url
> Refresh access to the root directory
doesn't make sense as written. "virtual directories" in this context
commonly refers to URL path segments that are mapped by the HTTP server to
filesystem entities with different names. Avoiding them doesn't mitigate
this attack. What you want to recommend here (presumably - I haven't tested
it myself) is using relative URLs as reference values in secure HTML pages.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Powered by blists - more mailing lists