[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003b01c3bf40$ef2976b0$0f02a8c0@wcglap001>
From: ruiper at shaw.ca (Rui Pereira)
Subject: Re: Internet Explorer URL parsing vulnerability
Er, on IE6.0.2800.1106.xpsp2....this shows up as
https://www.let_me_steal_your_money.com/ in the address line. Guess it
don't work as advertised. Maybe we should all upgrade? ;)
R
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Exibar
Sent: December 10, 2003 7:55 AM
To: Feher Tamas; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability
I can see many people getting duped with this:
https://www.paypal.com%01@....let_me_steal_your_money.com
so I completely know where you're coming from.
exibar
----- Original Message -----
From: "Feher Tamas" <etomcat@...email.hu>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, December 10, 2003 3:23 AM
Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability
> >Proof-of-Concept here:
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Vendor Notified 09 December, 2003
>
> Unless the bug has already been exploited by malicious people, it was
> a highly irresponsible act to disclose it to the public, without
giving
> Microsoft a reasonable timeframe to produce a fix. It may even qualify
> as a crime!
>
> Considering the simplicity of this URL faking trick, it will be
certainly
see
> active use by scammers during this Christmas shopping season and
> thousands of people will be robbed of their online banking accounts,
> etc. The money will boost organized crime and the whole society will
> suffer. A patch would give customers at least a theoretical chance to
> protect themselves and the community.
>
> I certainly would not object to ZapDingbat getting sued for a few
billion
> bucks by M$ or the US Gov't sending him to a long recreation at
> Guantanamo Bay. People like him discredit security research like
> nothing else and his acts contribute towards legislation that will
curb
> people's right to investigate code.
>
> Regards: Tamas Feher.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists