Full Disclosure mailing list archives
RE: 3 new MS patches next week... but none fix 0x01!
From: "David Bartholomew" <dfbarth () akiva com>
Date: Sun, 11 Jan 2004 11:05:52 -0500
Curious. I wondered why I didn't see the little control character marker in there when I pulled this page up like I did with the front page. It's interesting, too, that someone should bother to put this sort of stuff in the form action section - but as a test I went and filled out the initial form with random info, just to see what the whole thing looked like. Figured that maybe they were putting the text in place to 'fill' your status bar so that you couldn't see the real stuff at the end of it. Seemed to be what happened. It seems like so much work to bother with the 0x01 exploit at the beginning of the whole thing, when you could have just as readily done all this with javascript onmouseover events so that unless you looked at the source, the button would have looked totally legit. .dfbarth *** David Bartholomew, MCSE, MCSA, MCP, Net+, A+ Technical Lead - Akiva, Inc. *** -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Szabo Sent: Sunday, January 11, 2004 12:37 AM To: dfbarth () akiva com; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] 3 new MS patches next week... but none fix 0x01!
... and I've got this question for the list: This really long 'form action' item
http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@211.239.150.170/login/form.php obviously contains the 0x01 exploit. What I'm curious about is the HUGE amount of crap in between the : and the @ sign. I mean, if the 0x01
exploit
is 'good enough', what's with the extra characters?
Hmmm... where in there do you see %01? No, that is no 0x01 exploit, but just user:password@host quasi-RFC-compliant usage. The string is long so as to leave the user staring at the citibank+gibberish part, not to be made suspicious of the @IP part. Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: 3 new MS patches next week... but none fix 0x01! Exibar (Jan 09)
- <Possible follow-ups>
- RE: 3 new MS patches next week... but none fix 0x01! tlarholm (Jan 09)
- Re: 3 new MS patches next week... but none fix 0x01! J G (Jan 10)
- RE: 3 new MS patches next week... but none fix 0x01! David Bartholomew (Jan 10)
- re: Citibank phishing email Jim Race (Jan 10)
- RE: [inbox] RE: 3 new MS patches next week... Exibar (Jan 11)
- RE: 3 new MS patches next week... Can Erkin Acar (Jan 12)
- RE: 3 new MS patches next week... but none fix 0x01! David Bartholomew (Jan 10)
- Re: 3 new MS patches next week... but none fix 0x01! Mary Landesman (Jan 10)
- Re: 3 new MS patches next week... but none fix 0x01! Ray P (Jan 10)
- RE: 3 new MS patches next week... but none fix 0x01! Paul Szabo (Jan 10)
- RE: 3 new MS patches next week... but none fix 0x01! David Bartholomew (Jan 11)