[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4aff5567.2502303@sandman.za.net>
Date: Thu Feb 16 03:43:05 2006
From: full-disclosure at sandman.za.net (Markus)
Subject: Internet Explorer drag&drop 0day
Hi Thierry,
I think I understand now. You did it for the `shock` effect.
I guess it is nothing more than a matter of opinion.
( I mean this to be nothing more than...
a free bit of market research I suppose. )
My opinion being that; most users would find it an invasive and
deceptive tactic.
e.g.
If a company was found to have released a successful virus campaign
and their product was the only protection against it.
I wouldn't purchase that product.
Or the far more ridiculous:
The door to door salesman who pours cranberry juice on the old lady's
carpet doesn't get the chance to prove how well the vacuum cleaner works.
This is hardly worth reading so I'm going to stop writing it.
Good luck Thierry.
Markus
--
>Dear Markus,
>
>M> under the heading "Do you have a demonstration ?", both links to the
>M> demo "exploit" are dead.
>Yes they are, I was to lazy to remove them. I will replace them with
>some working PoC heise.de links.
>
>M> I assume in an attempt to hide the target url you meant to use the
>M> * onclick * javascript event, or even the * onmousedown * or * onmouse * up,
>M> but surely not the * onmouseover * !
>No I used on mouse over. The "exploit" was a PoC nothing more, I think
>to recall it launched calc.exe or similar (google for shreddersub7)
>
>M> You are aware that you current chosen method would have launched your
>M> exploit on the machine of a prospective customer,
>The links are supposed to do so.
>
>M> Please give your web designer a whack on the side of the head though.
>That would be me.... ouch! that hurt.
>
>I know I need a redesign for sake of usability.
>
>--
>http://secdev.zoller.lu
>Thierry Zoller
>Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists