[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- To: "Rui Pereira" <ruiper@shaw.ca>
- Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- From: "Exibar" <exibar@thelair.com>
- Date: Wed, 10 Dec 2003 12:52:19 -0500
Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the
httpS that's throwing it..
----- Original Message -----
From: "Rui Pereira" <ruiper@shaw.ca>
To: "'Exibar'" <exibar@thelair.com>
Cc: <full-disclosure@lists.netsys.com>
Sent: Wednesday, December 10, 2003 12:13 PM
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability
> Er, on IE6.0.2800.1106.xpsp2....this shows up as
> https://www.let_me_steal_your_money.com/ in the address line. Guess it
> don't work as advertised. Maybe we should all upgrade? ;)
>
> R
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Exibar
> Sent: December 10, 2003 7:55 AM
> To: Feher Tamas; full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> I can see many people getting duped with this:
>
> https://www.paypal.com%01@www.let_me_steal_your_money.com
>
> so I completely know where you're coming from.
>
> exibar
>
>
> ----- Original Message -----
> From: "Feher Tamas" <etomcat@freemail.hu>
> To: <full-disclosure@lists.netsys.com>
> Sent: Wednesday, December 10, 2003 3:23 AM
> Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > >Proof-of-Concept here:
> > >http://www.zapthedingbat.com/security/ex01/vun1.htm
> > >
> > >Vendor Notified 09 December, 2003
> >
> > Unless the bug has already been exploited by malicious people, it was
> > a highly irresponsible act to disclose it to the public, without
> giving
> > Microsoft a reasonable timeframe to produce a fix. It may even qualify
> > as a crime!
> >
> > Considering the simplicity of this URL faking trick, it will be
> certainly
> see
> > active use by scammers during this Christmas shopping season and
> > thousands of people will be robbed of their online banking accounts,
> > etc. The money will boost organized crime and the whole society will
> > suffer. A patch would give customers at least a theoretical chance to
> > protect themselves and the community.
> >
> > I certainly would not object to ZapDingbat getting sued for a few
> billion
> > bucks by M$ or the US Gov't sending him to a long recreation at
> > Guantanamo Bay. People like him discredit security research like
> > nothing else and his acts contribute towards legislation that will
> curb
> > people's right to investigate code.
> >
> > Regards: Tamas Feher.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html