lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0406111736400.24668-100000@high-mountain.nihongo.org>
From: snowhare at nihongo.org (Benjamin Franz)
Subject: RE: COELACANTH: Phreak Phishing Expedition]

On Thu, 10 Jun 2004, Thor Larholm wrote:

> It is only after IE has determined what server to request information
> from that it URL decodes the URI and ends up with
> http://www.microsoft.com/redir=www.e-gold.com, which it then displays in
> the Address Bar and subsequently uses to determine what security zone it
> should use to render the HTML. IE only decides what security zone to use
> based on the Address Bar value after it has successfully downloaded all
> of the HTML (untill then it is in the Unknown Zone), at which point the
> URL decoding has long since happened.

Does this affect 'cookie domain' scoping as well? I'm wondering if you 
could use a snip of Javascript to steal other-domain cookies directly 
with this....

-- 
Benjamin Franz

Catapultam habeo. 

Nisi pecuniam omnem mihi dabis ad capul tuum saxum immane mittam.

(Translation: "I have a catapult. Give me all the money or I will fling 
 an enormous rock at your head.")
                                        Henry Beard


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ