lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 May 2004 14:48:03 +0100
From: "Carl" <carl@...nda-rm.co.uk>
To: <bugtraq@...urityfocus.com>
Subject: Hiding URLs from Outlook and other mail clients



Today, one of our staff began receiving emails containing URL's similar
to this:

http://drs.yahoo.com/www.example.com/NEWS/*http://slashdot.org/#http://d
rs.yahoo.com/www.example.com/NEWS

When the link is viewed in Outlook (and also Kontact/Kmail), it only
displays the portion before the asterisk:

http://drs.yahoo.com/www.example.com/NEWS/

However, when the link is clicked, drs.yahoo.com issues an HTTP 302 and
redirects the browser to the site after the asterisk.

The URL our user received in her email redirected her to:

http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/terra.ht
ml

This HTML page then redirects the browser (using javascript) to:

http://www.danni.com/free/modelsdir.html (NOT work safe - it's a soft
porn site).

The worrying part for us was that both Outlook 2000 _and_ Kmail (only
after enabling the HTML facility) only displayed the portion of the URL
before the asterisk, making it easy to trick users into clicking
malicious links. Is this 'bug' actually a 'feature', a 'standard' or
just a coincidence?

Carl.


DISCLAIMER 
Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited.



Powered by blists - more mailing lists