lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4aff5567.2502303@sandman.za.net>
Date: Thu Feb 16 03:43:05 2006
From: full-disclosure at sandman.za.net (Markus)
Subject: Internet Explorer drag&drop 0day

Hi Thierry,

I think I understand now. You did it for the `shock` effect.
I guess it is nothing more than a matter of opinion.
( I mean this to be nothing more than...
 a free bit of market research I suppose. )
My opinion being that; most users would find it an invasive and
deceptive tactic.
e.g.
  If a company was found to have released a successful virus campaign
  and their product was the only protection against it.
  I wouldn't purchase that product.

Or the far more ridiculous:
  The door to door salesman who pours cranberry juice on the old lady's
  carpet doesn't get the chance to prove how well the vacuum cleaner works.

This is hardly worth reading so I'm going to stop writing it.

Good luck Thierry.

Markus

--

>Dear Markus,
>
>M> under the heading  "Do you have a demonstration ?", both links to the
>M> demo "exploit" are dead.
>Yes they are, I was to lazy to remove them. I will replace them with
>some working PoC heise.de links.
>
>M> I assume in an attempt to hide the target url you meant to use the
>M> * onclick * javascript event, or even the * onmousedown * or * onmouse * up,
>M> but surely not the * onmouseover * !
>No I used on mouse over. The "exploit" was a PoC nothing more, I think
>to recall it launched calc.exe or similar (google for shreddersub7)
>
>M> You are aware that you current chosen method would have launched your
>M> exploit on the machine of a prospective customer,
>The links are supposed to do so.
>
>M> Please give your web designer a whack on the side of the head though.
>That would be me.... ouch! that hurt.
>
>I know I need a redesign for sake of usability.
>
>-- 
>http://secdev.zoller.lu
>Thierry Zoller
>Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ