lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: 1 at malware.com (http-equiv@...ite.com)
Subject: Re: FW: [Unpatched] Shell and Drag'n'Drop vulnerabilities


<!-- 
The premise behind this Drag'n'Drop exploit is two-fold, one is 
the ability to open a window with local content and the other is 
the fact  that dropping an IMG element will pass its DYNSRC 
attribute instead of  its SRC attribute
 -->

This is amusing. Though you're not the first to conjur up such 
machinations. Below is my response to that from weeks ago when 
originally constructing the demo:

> Hi <snip>. Thanks.
> 
> Actually no, it has nothing to do with any of it. Just that I 
am 
> currently on internet connection that is less fast than my 
> normal one.  While I was creating the demo, I found src="" 
> seemed to be slower loading the file than dynscr at the time. 
I 
> just left it in once I completed the demo. Has no bearing on 
the 
> matter since I rebooted and both are the same speed now on 
this 
> machine (or the connection has since sped up).
> 
> <snip> said:
> 
> > Hey,
> > 
> > Nice demo, I have some questions though...
> > 
> > Are you using <img dynsrc="malware.exe"> to bypass the check 
> on 
> > where the file is originating from?


The 'inventor' of this product also needs to be aware that the 
http folder behavior results in the same dating back Wednesday, 
August 14, 2002 [http://www.securityfocus.com/archive/1/320437]:

<body onload=malware() style="behavior: url
(#default#httpFolder);"> 
 <script> 
function malware(){ 
document.body.navigate("shell:desktop"); 
} 
 </script>

http://www.malware.com/shelp.html

plus all the html help calls via the html help object. Probably 
many others but we can't do everything if you know what I mean.

<!-- 
Qwik-Fix Pro users were protected in advance against the Akak 
trojan without additional updates. You can find a free copy of 
Qwik-Fix Pro for  personal use at 
http://www.pivx.com/qwikfixDwnloa.asp 
-->


I recommend this new product instead. I've simply never been 
able to get yours to do what you advertise it to do:

https://www.prevx.com/homeoffice/homeoffice_homedownload.htm

Protect your home and home office against the next Zero Day 
Internet Worm, Spyware Installation or Hacker attack. 




-- 
http://www.malware.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ