[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.42.0209052233450.26057-100000@nimue.bos.bindview.com>
From: lcamtuf at dione.ids.pl (Michal Zalewski)
Subject: Fwd: Returned post for bugtraq@...urityfocus.com
On Thu, 5 Sep 2002 fooldisclosure@...hmail.com wrote:
> * Most (MOST) posts to bugtraq get rejected
That would be, I imagine, because most of what arrives to
bugtraq@...urityfocus.com is spam.
> * Security issues sent to bugtraq get 'sat on' by secfocus. Priority
> customers get priority notice.
Makes me wonder how much SF customers had to pay for 0-day knowledge of
the http://www.ebay.com%...%40 trick.
> Obviously the bugtraq moderators cannot see any issues with obfuscated
> URL's that look like http://www.ebay.com%252f%40evil.site.goes.here.
Considering the fact that you are the inventor of this technique, which
has been used for ages to obfuscate URLs and play pranks on less
knowledgeable users, and the fact that it does not buy you a thing - at
least with a person who knows how URLs work... It's vulnerability the same
way as SMTP is buggy because "From:" can be forged.
Here's a typical, ancient example of this prank I grepped from my
mailbox...
http://www.cnn.com%3b2001%3bshowbiz@....61.189.243/britney/index.html
Yes, you could fool a clueless user and make him think he's visiting
www.microsoft.com and has to enter his credit card number now. But same
way, you could fool him with a mail from "Administrator
<adm3736@...oo.com>". Or by telling him "I send you this file in order to
have your advice". But the vulnerable component is the user who has
insufficient knowledge about the tools he's using, not the software that
is working pretty well.
--
Michal Zalewski
Opinions expressed herein are mine, but generally I disagree with them.
Powered by blists - more mailing lists