[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050523215543.GA12234@force.stwing.upenn.edu>
Date: Tue May 24 00:30:06 2005
From: lists.fd.dmargoli at af0.net (Dan Margolis)
Subject: RE: Security issue in Microsoft Outlook
On Mon, May 23, 2005 at 01:25:35PM -0700, David Cleveland wrote:
> I was able to duplicate. After creating the url link, I put the cursor
> right after the 'www.' And typed in the 'foo-labs.info'. Then I delete
> everything after 'info' and sent it. The link read foo-labs and went to
> cybertrion.
After much trials and tribulations, I was able to replicate this. And
you know what? IT'S THE EXACT SAME RESULT AS IF SOMEONE HAD CLICKED
"EDIT" AND CHANGED THE URL!
So, what this means is that there is a "bug" in Outlook by which one
can, if one has not clicked off the link since creating it, create a
link, alter it, and not have the target altered to the new URL. I say
"bug" in quotes because what presumably is going on is the function that
updates the target is not called, leaving the old target in there.
Is this a security risk? NO! The reporter is a troll or a moron! Since
my prior sarcasm was apparently lost on some readers, THIS IS A FEATURE
OF HTML! Links can point to other places than the text in between the
link tags! If they couldn't, there'd be no point to having links!
If you have a problem with this, go back to using Gopher--or better yet,
stop using the Internet. We'll all miss your valuable input.
Once and for all: THIS IS NOT A VULNERABILITY. Now, can we all let this
stupid thread die?
Thanks and have a great day. :)
--
Dan
Powered by blists - more mailing lists