| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <472461E6.32274.19CE6D15@nick.virus-l.demon.co.uk> Date: Sun, 28 Oct 2007 10:18:14 +1300 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: Full-Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: MySpace URL redirection Fabrizio wrote: > Risk: potentially high > File under: annoyances > > "hey! check out my cool myspace page!" > > warning: will crash Internet Exploder. > > http://profile.myspace.com/index.cfm?fuseaction=cms.goto&_i=176efaa7-1908-488e-aa3e-2565dcf843d6&_u=http://www.modernlifeisrubbish.co.uk/etc/crash-ie.html Open redirectors are, of course, very bad in general, but the largest "Internet properties" have whole business models absed on them (and thus on helping the fraudsters and scammers), so WTF should anyone else care about them?? For those looking for malice, this one can be simplified to: http://profile.myspace.com/index.cfm?fuseaction=cms.goto&_u=[...] (where "[...]" is the target URI). And, of course, you can further obfuscate it by stuffing it with bogus parameters. Yet further obfuscation possibilities with escaping and so on are left as an exercise for the reader... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists