Full Disclosure mailing list archives

Re: Internet Explorer drag&drop 0day

From: Markus <full-disclosure () sandman za net>
Date: Thu, 16 Feb 2006 05:41:03 +0200

Hi Thierry,

I think I understand now. You did it for the `shock` effect.
I guess it is nothing more than a matter of opinion.
( I mean this to be nothing more than...
a free bit of market research I suppose. )
My opinion being that; most users would find it an invasive and
deceptive tactic.
e.g.
 If a company was found to have released a successful virus campaign
 and their product was the only protection against it.
 I wouldn't purchase that product.

Or the far more ridiculous:
 The door to door salesman who pours cranberry juice on the old lady's
 carpet doesn't get the chance to prove how well the vacuum cleaner works.

This is hardly worth reading so I'm going to stop writing it.

Good luck Thierry.

Markus

--

Dear Markus,

M> under the heading  "Do you have a demonstration ?", both links to the
M> demo "exploit" are dead.
Yes they are, I was to lazy to remove them. I will replace them with
some working PoC heise.de links.

M> I assume in an attempt to hide the target url you meant to use the
M> * onclick * javascript event, or even the * onmousedown * or * onmouse * up,
M> but surely not the * onmouseover * !
No I used on mouse over. The "exploit" was a PoC nothing more, I think
to recall it launched calc.exe or similar (google for shreddersub7)

M> You are aware that you current chosen method would have launched your
M> exploit on the machine of a prospective customer,
The links are supposed to do so.

M> Please give your web designer a whack on the side of the head though.
That would be me.... ouch! that hurt.

I know I need a redesign for sake of usability.

--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Internet Explorer drag&drop 0day Gadi Evron (Feb 13)
- Re: Internet Explorer drag&drop 0day Thierry Zoller (Feb 13)
  - Re: Internet Explorer drag&drop 0day Shyaam (Feb 13)
    - Re: Internet Explorer drag&drop 0day Valdis . Kletnieks (Feb 13)
  - Re: Internet Explorer drag&drop 0day Gadi Evron (Feb 13)
- <Possible follow-ups>
- Re: Internet Explorer drag&drop 0day Markus (Feb 13)
  - Re[2]: Internet Explorer drag&drop 0day Thierry Zoller (Feb 14)
- Re: Internet Explorer drag&drop 0day Markus (Feb 15)
  - Re[2]: Internet Explorer drag&drop 0day Thierry Zoller (Feb 16)
- Re: Internet Explorer drag&drop 0day Markus (Feb 16)