[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] (no subject)

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] (no subject)
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Sat, 06 Dec 2003 11:00:35 +1300

"http-equiv@excite.com" <1@malware.com> wrote:

> Quite a nifty email scam:
> 
> <a 
> href="http://www.visa.com                                            
>                                                                  :Use
> rSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&Sta
> teLevel=GetFrom@61.252.126.191/verified_by_visa.html">http://www.visa
> .com</a>
> 
> Note the gap, shows only as visa.com in Outlook Express which takes 
> you to visa's site and a rather awkward popup window where the data 
> is supposed to be filled in.

Indeed -- this is a classic exploit of a classic case of several 
_really, really BAD_ design decisions.

First, some genius (or committee thereof) decided that putting 
"userinfo" data into URLs would be a good idea.  This was decided 
despite it generally being agreed -- as the URL RFC authors note _in 
the RFC_ -- to be a bad thing from a security perspective...

Second, and perhaps the largest part of the problem was that the 
specification for doing this was designed by people with _ABSOLUTELY 
ZERO_ clue about user interfaces, as is shown by their decision to put 
userinfo data in front of the target domain.  Normally users will only 
see URLs without userinfo data, so from a UI perspective it was really 
bad design to have a "special case" (that would be rarely used and thus 
rarely seen by users) "disturb" the expectation of the user (in 
general, that is a recipe for problems).  Worse is that the userinfo 
data field has, by its nature, to allow for completely arbitrary data 
(in terms of length and character set).

Third, and increasingly inexcusable, is that no client s/w (that I am 
aware of) that deals with such URLs has _ANY_ kind of sanity checking 
or user warning that "something unexpected" may be about to happen.  I 
would hazard that, because of the general agreement that specifying 
userinfo data in URLs is a really bad thing, historically "most" URLs 
that the have had a userinfo part have had such for nefarious uses.  
Thus, I'd suggest that it is time URL-handling routines stopped 
handling userinfo data, at least without prompting the user, or better 
still, by default be configured to not handle userinfo (which would 
make userinfo handling a candidate for zone-by-zone enabling in IE 
where, _at most_, it would only make sense to be enabled by default in 
the Trusted Sites zone).

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] (no subject)
  - From: Valdis.Kletnieks@vt.edu
- Re: [Full-Disclosure] (no subject)
  - From: Valdis.Kletnieks@vt.edu

References:
- [Full-Disclosure] (no subject)
  - From: "http-equiv@excite.com" <1@malware.com>

Prev by Date: [Full-Disclosure] Reply of last "gazpa" e-mail
Next by Date: [Full-Disclosure] rpc.mountd Vulnerabilities update on IRIX
Previous by thread: [Full-Disclosure] (no subject)
Next by thread: Re: [Full-Disclosure] (no subject)
Index(es):
- Date
- Thread