[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <028201c3bf46$66b01ea0$1214dd80@corp.emc.com>
From: exibar at thelair.com (Exibar)
Subject: Re: Internet Explorer URL parsing vulnerability
Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the
httpS that's throwing it..
----- Original Message -----
From: "Rui Pereira" <ruiper@...w.ca>
To: "'Exibar'" <exibar@...lair.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, December 10, 2003 12:13 PM
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability
> Er, on IE6.0.2800.1106.xpsp2....this shows up as
> https://www.let_me_steal_your_money.com/ in the address line. Guess it
> don't work as advertised. Maybe we should all upgrade? ;)
>
> R
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Exibar
> Sent: December 10, 2003 7:55 AM
> To: Feher Tamas; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> I can see many people getting duped with this:
>
> https://www.paypal.com%01@....let_me_steal_your_money.com
>
> so I completely know where you're coming from.
>
> exibar
>
>
> ----- Original Message -----
> From: "Feher Tamas" <etomcat@...email.hu>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Wednesday, December 10, 2003 3:23 AM
> Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > >Proof-of-Concept here:
> > >http://www.zapthedingbat.com/security/ex01/vun1.htm
> > >
> > >Vendor Notified 09 December, 2003
> >
> > Unless the bug has already been exploited by malicious people, it was
> > a highly irresponsible act to disclose it to the public, without
> giving
> > Microsoft a reasonable timeframe to produce a fix. It may even qualify
> > as a crime!
> >
> > Considering the simplicity of this URL faking trick, it will be
> certainly
> see
> > active use by scammers during this Christmas shopping season and
> > thousands of people will be robbed of their online banking accounts,
> > etc. The money will boost organized crime and the whole society will
> > suffer. A patch would give customers at least a theoretical chance to
> > protect themselves and the community.
> >
> > I certainly would not object to ZapDingbat getting sued for a few
> billion
> > bucks by M$ or the US Gov't sending him to a long recreation at
> > Guantanamo Bay. People like him discredit security research like
> > nothing else and his acts contribute towards legislation that will
> curb
> > people's right to investigate code.
> >
> > Regards: Tamas Feher.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Powered by blists - more mailing lists