| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: exibar at thelair.com (Exibar) Subject: Re: Internet Explorer URL parsing vulnerability Yes, that's what I meant. httpS is throwing it on SP2 (meant that this vuln. doesn't work for httpS on SP2) of course I assume that this vuln works at all on SP2 :-) Been a long day already... is it Friday yet? :-) Ex ----- Original Message ----- From: "Rui Pereira" <ruiper@...w.ca> To: "'Exibar'" <exibar@...lair.com> Cc: <full-disclosure@...ts.netsys.com> Sent: Wednesday, December 10, 2003 1:00 PM Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability > I am also on SP2...you are SP1 > > R > > -----Original Message----- > From: Exibar [mailto:exibar@...lair.com] > Sent: December 10, 2003 9:52 AM > To: Rui Pereira > Cc: full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be > the > httpS that's throwing it.. > > ----- Original Message ----- > From: "Rui Pereira" <ruiper@...w.ca> > To: "'Exibar'" <exibar@...lair.com> > Cc: <full-disclosure@...ts.netsys.com> > Sent: Wednesday, December 10, 2003 12:13 PM > Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > > > Er, on IE6.0.2800.1106.xpsp2....this shows up as > > https://www.let_me_steal_your_money.com/ in the address line. Guess it > > don't work as advertised. Maybe we should all upgrade? ;) > > > > R > > > > -----Original Message----- > > From: full-disclosure-admin@...ts.netsys.com > > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Exibar > > Sent: December 10, 2003 7:55 AM > > To: Feher Tamas; full-disclosure@...ts.netsys.com > > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > > vulnerability > > > > I can see many people getting duped with this: > > > > https://www.paypal.com%01@....let_me_steal_your_money.com > > > > so I completely know where you're coming from. > > > > exibar > > > > > > ----- Original Message ----- > > From: "Feher Tamas" <etomcat@...email.hu> > > To: <full-disclosure@...ts.netsys.com> > > Sent: Wednesday, December 10, 2003 3:23 AM > > Subject: [Full-Disclosure] Re: Internet Explorer URL parsing > > vulnerability > > > > > > > >Proof-of-Concept here: > > > >http://www.zapthedingbat.com/security/ex01/vun1.htm > > > > > > > >Vendor Notified 09 December, 2003 > > > > > > Unless the bug has already been exploited by malicious people, it > was > > > a highly irresponsible act to disclose it to the public, without > > giving > > > Microsoft a reasonable timeframe to produce a fix. It may even > qualify > > > as a crime! > > > > > > Considering the simplicity of this URL faking trick, it will be > > certainly > > see > > > active use by scammers during this Christmas shopping season and > > > thousands of people will be robbed of their online banking accounts, > > > etc. The money will boost organized crime and the whole society will > > > suffer. A patch would give customers at least a theoretical chance > to > > > protect themselves and the community. > > > > > > I certainly would not object to ZapDingbat getting sued for a few > > billion > > > bucks by M$ or the US Gov't sending him to a long recreation at > > > Guantanamo Bay. People like him discredit security research like > > > nothing else and his acts contribute towards legislation that will > > curb > > > people's right to investigate code. > > > > > > Regards: Tamas Feher. > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > > > >
Powered by blists - more mailing lists