Fwd: Returned post for bugtraq () securityfocus com

[lcamtuf () dione ids pl (Michal Zalewski)]

On Thu, 5 Sep 2002 fooldisclosure () hushmail com wrote:

> * Most (MOST) posts to bugtraq get rejected

That would be, I imagine, because most of what arrives to
bugtraq () securityfocus com is spam.

> * Security issues sent to bugtraq get 'sat on' by secfocus. Priority
> customers get priority notice.

Makes me wonder how much SF customers had to pay for 0-day knowledge of
the http://www.ebay.com%...%40 trick.

> Obviously the bugtraq moderators cannot see any issues with obfuscated
> URL's that look like http://www.ebay.com%252f%40evil.site.goes.here.

Considering the fact that you are the inventor of this technique, which
has been used for ages to obfuscate URLs and play pranks on less
knowledgeable users, and the fact that it does not buy you a thing - at
least with a person who knows how URLs work... It's vulnerability the same
way as SMTP is buggy because "From:" can be forged.

Here's a typical, ancient example of this prank I grepped from my
mailbox...

http://www.cnn.com%3b2001%3bshowbiz@209.61.189.243/britney/index.html

Yes, you could fool a clueless user and make him think he's visiting
www.microsoft.com and has to enter his credit card number now. But same
way, you could fool him with a mail from "Administrator
<adm3736 () yahoo com>". Or by telling him "I send you this file in order to
have your advice". But the vulnerable component is the user who has
insufficient knowledge about the tools he's using, not the software that
is working pretty well.

-- 
Michal Zalewski

Opinions expressed herein are mine, but generally I disagree with them.