Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerability
From: "Exibar" <exibar () thelair com>
Date: Wed, 10 Dec 2003 12:52:19 -0500
Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the httpS that's throwing it.. ----- Original Message ----- From: "Rui Pereira" <ruiper () shaw ca> To: "'Exibar'" <exibar () thelair com> Cc: <full-disclosure () lists netsys com> Sent: Wednesday, December 10, 2003 12:13 PM Subject: RE: [Full-disclosure] Re: Internet Explorer URL parsing vulnerability
Er, on IE6.0.2800.1106.xpsp2....this shows up as https://www.let_me_steal_your_money.com/ in the address line. Guess it don't work as advertised. Maybe we should all upgrade? ;) R -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Exibar Sent: December 10, 2003 7:55 AM To: Feher Tamas; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: Internet Explorer URL parsing vulnerability I can see many people getting duped with this: https://www.paypal.com%01@www.let_me_steal_your_money.com so I completely know where you're coming from. exibar ----- Original Message ----- From: "Feher Tamas" <etomcat () freemail hu> To: <full-disclosure () lists netsys com> Sent: Wednesday, December 10, 2003 3:23 AM Subject: [Full-disclosure] Re: Internet Explorer URL parsing vulnerabilityProof-of-Concept here: http://www.zapthedingbat.com/security/ex01/vun1.htm Vendor Notified 09 December, 2003Unless the bug has already been exploited by malicious people, it was a highly irresponsible act to disclose it to the public, withoutgivingMicrosoft a reasonable timeframe to produce a fix. It may even qualify as a crime! Considering the simplicity of this URL faking trick, it will becertainly seeactive use by scammers during this Christmas shopping season and thousands of people will be robbed of their online banking accounts, etc. The money will boost organized crime and the whole society will suffer. A patch would give customers at least a theoretical chance to protect themselves and the community. I certainly would not object to ZapDingbat getting sued for a fewbillionbucks by M$ or the US Gov't sending him to a long recreation at Guantanamo Bay. People like him discredit security research like nothing else and his acts contribute towards legislation that willcurbpeople's right to investigate code. Regards: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Internet Explorer URL parsing vulnerability, (continued)
- Re: Internet Explorer URL parsing vulnerability Feher Tamas (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Frank de Wit (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Jedi/Sector One (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Ricardo Moura (Dec 12)
- Re: Re: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability William Warren (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- Re: Internet Explorer URL parsing vulnerability Feher Tamas (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Kristian Hermansen (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)