Full Disclosure mailing list archives
Global *.net XSS, thank you Verisign(TM)
From: <xss_slut () hushmail com>
Date: Mon, 15 Sep 2003 20:35:43 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quite recently, Verisign took over the internet. What parts, you might ask? Well, the parts in nomad land. Do a dig on _anything_you_like.net, and you'll find an IP. Point a browser at http://junkurlblahblah.net, and you'll find yourself at sitefinder.verisign.com This by it's self doesn't create a vulnerability, however, when combined with a XSS bug, this works in IE: http://";alert('slut');".net This wildcard DNS on the .net TLD will wreck havoc on mail servers, and a few other utilities that don't cleanly validate DNS names. Other less exciting versions of this XSS: http://sitefinder.verisign.com/lpc?url=meow'><script>alert(document.cookie)</script><' There is some other really funky stuff going on with JS on the sitefinder site - - take a peek at the source under the portal pages. Finally, Verisign, you are now the number 1 domain squatter. Eat a big bowl of dicks. - -xss_slut This post has been brought by the letter S and the number 4 Greets to your grandmother. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj9mhQUACgkQmrMv95saTV/9TwCgl3TO4LArZLqLc0l8eMfyVMSulfoA oKQm79sqnuF7sCtViw/BHcDHG82R =rVGU -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Global *.net XSS, thank you Verisign(TM) xss_slut (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) James Greenhalgh (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Paul Holman (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) J.A. Terranson (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- Re: Global *.net XSS, thank you Verisign(TM) Marc Slemko (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- RE: Global *.net XSS, thank you Verisign(TM) Richard M. Smith (Sep 16)
- RE: Global *.net XSS, thank you Verisign(TM) tadpole-boy (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Scott Manley (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)