Re: Re: Internet Explorer URL parsing vulnerability

["Exibar" <exibar () thelair com>]

Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the
httpS that's throwing it..

----- Original Message ----- 
From: "Rui Pereira" <ruiper () shaw ca>
To: "'Exibar'" <exibar () thelair com>
Cc: <full-disclosure () lists netsys com>
Sent: Wednesday, December 10, 2003 12:13 PM
Subject: RE: [Full-disclosure] Re: Internet Explorer URL parsing
vulnerability


> Er, on IE6.0.2800.1106.xpsp2....this shows up as
> https://www.let_me_steal_your_money.com/ in the address line. Guess it
> don't work as advertised. Maybe we should all upgrade? ;)
>
> R
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Exibar
> Sent: December 10, 2003 7:55 AM
> To: Feher Tamas; full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> I can see many people getting duped with this:
>
> https://www.paypal.com%01@www.let_me_steal_your_money.com
>
> so I completely know where you're coming from.
>
>   exibar
>
>
> ----- Original Message ----- 
> From: "Feher Tamas" <etomcat () freemail hu>
> To: <full-disclosure () lists netsys com>
> Sent: Wednesday, December 10, 2003 3:23 AM
> Subject: [Full-disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > > Proof-of-Concept here:
> > > http://www.zapthedingbat.com/security/ex01/vun1.htm
> > >
> > > Vendor Notified 09 December, 2003
> >
> > Unless the bug has already been exploited by malicious people, it was
> > a highly irresponsible act to disclose it to the public, without
> giving
> > Microsoft a reasonable timeframe to produce a fix. It may even qualify
> > as a crime!
> >
> > Considering the simplicity of this URL faking trick, it will be
> certainly
> see
> > active use by scammers during this Christmas shopping season and
> > thousands of people will be robbed of their online banking accounts,
> > etc. The money will boost organized crime and the whole society will
> > suffer. A patch would give customers at least a theoretical chance to
> > protect themselves and the community.
> >
> > I certainly would not object to ZapDingbat getting sued for a few
> billion
> > bucks by M$ or the US Gov't sending him to a long recreation at
> > Guantanamo Bay. People like him discredit security research like
> > nothing else and his acts contribute towards legislation that will
> curb
> > people's right to investigate code.
> >
> > Regards: Tamas Feher.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html