Full Disclosure mailing list archives
Fwd: Returned post for bugtraq () securityfocus com
From: lcamtuf () dione ids pl (Michal Zalewski)
Date: Thu, 5 Sep 2002 22:55:15 -0400 (EDT)
On Thu, 5 Sep 2002 fooldisclosure () hushmail com wrote:
* Most (MOST) posts to bugtraq get rejected
That would be, I imagine, because most of what arrives to bugtraq () securityfocus com is spam.
* Security issues sent to bugtraq get 'sat on' by secfocus. Priority customers get priority notice.
Makes me wonder how much SF customers had to pay for 0-day knowledge of the http://www.ebay.com%...%40 trick.
Obviously the bugtraq moderators cannot see any issues with obfuscated URL's that look like http://www.ebay.com%252f%40evil.site.goes.here.
Considering the fact that you are the inventor of this technique, which has been used for ages to obfuscate URLs and play pranks on less knowledgeable users, and the fact that it does not buy you a thing - at least with a person who knows how URLs work... It's vulnerability the same way as SMTP is buggy because "From:" can be forged. Here's a typical, ancient example of this prank I grepped from my mailbox... http://www.cnn.com%3b2001%3bshowbiz@209.61.189.243/britney/index.html Yes, you could fool a clueless user and make him think he's visiting www.microsoft.com and has to enter his credit card number now. But same way, you could fool him with a mail from "Administrator <adm3736 () yahoo com>". Or by telling him "I send you this file in order to have your advice". But the vulnerable component is the user who has insufficient knowledge about the tools he's using, not the software that is working pretty well. -- Michal Zalewski Opinions expressed herein are mine, but generally I disagree with them.
Current thread:
- Fwd: Returned post for bugtraq () securityfocus com fooldisclosure () hushmail com (Sep 05)
- Fwd: Returned post for bugtraq () securityfocus com <mail () blazde co uk (Roland Postle) (Sep 05)
- Fwd: Returned post for bugtraq () securityfocus com Michal Zalewski (Sep 05)
- Fwd: Returned post for bugtraq () securityfocus com Fenris The Wolf (Sep 05)