| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <19e54ea80707131059i35bbacbewba264c963f20cb57@mail.gmail.com> Date: Fri, 13 Jul 2007 10:59:54 -0700 From: "Billy Rios" <billy.rios@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Cross Application Scripting (IE pwns Trillian, Trillian pwns YOU!) To all, Registered URIs can be extremely dangerous... browsers must take special care in filtering which characters are passed to registered URIs. Developers must take special care when registering a URI. We've discovered MANY MANY issues with registered URIs over the last year. Registered URIs can be remotely exploited, many times resulting in full system compromise. You can find a sample of how dangerous registered URIs can be here: http://www.xs-sniper.com/nmcfeters/Cross-App-Scripting-2.html The recent firefoxurl vulnerabilities are based on registered URIs.... http://larholm.com/2007/07/10/internet-explorer-0day-exploit http://secunia.com/advisories/25984 Unregister ALL unnecessary URIs NOW! This is NOT just an IE issue....and this is NOT just a Trillian issue… Billy "BK" Rios _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists