Full Disclosure mailing list archives
Re: (no subject)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 06 Dec 2003 11:00:35 +1300
"http-equiv () excite com" <1 () malware com> wrote:
Quite a nifty email scam: <a href="http://www.visa.com :Use rSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&Sta teLevel=GetFrom@61.252.126.191/verified_by_visa.html">http://www.visa .com</a> Note the gap, shows only as visa.com in Outlook Express which takes you to visa's site and a rather awkward popup window where the data is supposed to be filled in.
Indeed -- this is a classic exploit of a classic case of several _really, really BAD_ design decisions. First, some genius (or committee thereof) decided that putting "userinfo" data into URLs would be a good idea. This was decided despite it generally being agreed -- as the URL RFC authors note _in the RFC_ -- to be a bad thing from a security perspective... Second, and perhaps the largest part of the problem was that the specification for doing this was designed by people with _ABSOLUTELY ZERO_ clue about user interfaces, as is shown by their decision to put userinfo data in front of the target domain. Normally users will only see URLs without userinfo data, so from a UI perspective it was really bad design to have a "special case" (that would be rarely used and thus rarely seen by users) "disturb" the expectation of the user (in general, that is a recipe for problems). Worse is that the userinfo data field has, by its nature, to allow for completely arbitrary data (in terms of length and character set). Third, and increasingly inexcusable, is that no client s/w (that I am aware of) that deals with such URLs has _ANY_ kind of sanity checking or user warning that "something unexpected" may be about to happen. I would hazard that, because of the general agreement that specifying userinfo data in URLs is a really bad thing, historically "most" URLs that the have had a userinfo part have had such for nefarious uses. Thus, I'd suggest that it is time URL-handling routines stopped handling userinfo data, at least without prompting the user, or better still, by default be configured to not handle userinfo (which would make userinfo handling a candidate for zone-by-zone enabling in IE where, _at most_, it would only make sense to be enabled by default in the Trusted Sites zone). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (no subject) http-equiv () excite com (Dec 05)
- Re: (no subject) Nick FitzGerald (Dec 05)
- Re: (no subject) Valdis . Kletnieks (Dec 05)
- Re: (no subject) Valdis . Kletnieks (Dec 05)
- Re: (no subject) Nick FitzGerald (Dec 05)
- Re: (no subject) Valdis . Kletnieks (Dec 05)
- Re: (no subject) Nick FitzGerald (Dec 05)
- <Possible follow-ups>
- (no subject) shurikx1 (Dec 29)
- Cross Site Scripting in miniBB 1.7 (latest) and earlier Chintan Trivedi (Dec 29)