Bugtraq mailing list archives
FW: IE https certificate attack
From: "August September" <august_september () hotmail com>
Date: Wed, 26 Dec 2001 16:57:16 +0500
Hello,I've been reading this thread and it remembered me a similar case (I don't know if it really classifies as a bug, so I haven't reported it).
Once I had to embed a non-secure object coming from another server to my secure page (only available over https), then i did the following: i wrote a simple redirect script like this
<?php header("Location:".$url); ?> and on the real page asked object through that script like this <img src="redirect.php?url=http://non.secure.server"> Both IE and Mozilla displayed this object without any warning. August
-----Original Message----- From: security () e-matters de [mailto:security () e-matters de] Sent: Saturday, December 22, 2001 4:37 PM To: bugtraq () securityfocus com Subject: IE https certificate attack e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Interner Explorer HTTPS certificate attackRelease Date: 2001/12/22 Author: Stefan Esser [s.esser () e-matters de]Application: Microsoft Internet Explorer 5.0/5.5/6.0 Severity: Vulnerability in IE's SSL Certificate handling allows undetected SSL Man-In-The-Middle attacks Risk: Very High Vendor Status: Notified Reference: http://security.e-matters.de/advisories/012001.html
_________________________________________________________________Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
Current thread:
- IE https certificate attack security (Dec 23)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)
- Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
- Re: IE https certificate attack Geoff Joy (Dec 26)
- Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
- Re: IE https certificate attack Przemyslaw Frasunek (Dec 25)
- Re: IE https certificate attack Diego M. Vadell (Dec 25)
- Re: IE https certificate attack Stephen Cope (Dec 25)
- Re: IE https certificate attack Kevin van Haaren (Dec 25)
- Re: IE https certificate attack Donald King (Dec 26)
- RE: IE https certificate attack The Death (Dec 26)
- <Possible follow-ups>
- FW: IE https certificate attack August September (Dec 26)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)