Full Disclosure mailing list archives
Re: re: Microsoft Outlook Web Access URL Injection
From: Valdis.Kletnieks () vt edu
Date: Mon, 07 Feb 2005 14:26:27 -0500
On Mon, 07 Feb 2005 09:27:25 PST, morning_wood said:
looks like MS is NOT publicly releasing a fix for this, while they have the means and solution at hand. ( at least under IE ) a kind reader sent this little snippet... "... was able to get Microsoft to provide us with a DLL to drop under IIS 6 to compare URL variable against the Host: header variable and do 302 to web root if they are not similar. This fixed the problem, however, I doubt that Microsoft will make this patch available to the public." what happend to MS commitment to security???
They figured they'd spent the budget for the quarter for PR proclaiming their commitment to security. Remember - they're nowhere near as committed to security as they are to the bottom line. A $20M PR campaign will sway a lot of managers, while a $200M project to actually fix things won't be noticed. Which would *you* choose if you were them? (Note that this is heavily dependent on corporate culture - for instance, if some VP at Google tried that same money-saving stunt, he'd probably get called in, pointed at the "Don't be evil" sign, and told to find some OTHER way to save the $180M... But as far as I know, there isn't any such sign in Redmond....)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- re: Microsoft Outlook Web Access URL Injection morning_wood (Feb 07)
- Re: re: Microsoft Outlook Web Access URL Injection Valdis . Kletnieks (Feb 07)