lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.42.0209052233450.26057-100000@nimue.bos.bindview.com>
From: lcamtuf at dione.ids.pl (Michal Zalewski)
Subject: Fwd: Returned post for bugtraq@...urityfocus.com

On Thu, 5 Sep 2002 fooldisclosure@...hmail.com wrote:

> * Most (MOST) posts to bugtraq get rejected

That would be, I imagine, because most of what arrives to
bugtraq@...urityfocus.com is spam.

> * Security issues sent to bugtraq get 'sat on' by secfocus. Priority
> customers get priority notice.

Makes me wonder how much SF customers had to pay for 0-day knowledge of
the http://www.ebay.com%...%40 trick.

> Obviously the bugtraq moderators cannot see any issues with obfuscated
> URL's that look like http://www.ebay.com%252f%40evil.site.goes.here.

Considering the fact that you are the inventor of this technique, which
has been used for ages to obfuscate URLs and play pranks on less
knowledgeable users, and the fact that it does not buy you a thing - at
least with a person who knows how URLs work... It's vulnerability the same
way as SMTP is buggy because "From:" can be forged.

Here's a typical, ancient example of this prank I grepped from my
mailbox...

http://www.cnn.com%3b2001%3bshowbiz@....61.189.243/britney/index.html

Yes, you could fool a clueless user and make him think he's visiting
www.microsoft.com and has to enter his credit card number now. But same
way, you could fool him with a mail from "Administrator
<adm3736@...oo.com>". Or by telling him "I send you this file in order to
have your advice". But the vulnerable component is the user who has
insufficient knowledge about the tools he's using, not the software that
is working pretty well.

-- 
Michal Zalewski

Opinions expressed herein are mine, but generally I disagree with them.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ