Vulnerability Development mailing list archives

Re: /instmsg/alias/annoying_web_logs ;)

From: zeno <bugtraq () cgisecurity net>
Date: Tue, 15 Oct 2002 10:10:46 -0400 (EDT)



--=-JDGRKxNXGaJQ/wbvHyBY
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Exchange and MSN Messanger are the top leads so far. :> Someone install
MSN Messanger and find out! (Doesn't ANYONE run that thing?) :>

-dave



Here is a good question. we know it is sending GET requests to a webserver. I assume IIS must have
something setup to get queries and forward to the messaging client? What if IIS isn't installed does
something else answer it, if so what?

- zeno () cgisecurity com


On Tue, 2002-10-15 at 10:05, zeno wrote:

=20
I get billions of these things too, its part of some MSN groups/chat=20
thing, essentially it takes requests the "alias" of the email address=20
(dave () immunitysec com =3D> /instmsg/alias/dave). Might be fun to send b=

ack=20

=20
These things are damn annoying. I get probably 5 of these a day and 1 per=

son keeps checking me every

few hours.=20
=20
=20

some looooong responses ;) My favorites are all the ones that originate=

=20

from microsoft "tide" addresses... They send me some funny referrers fr=

om=20

their intranet servers once in a while too.
=20

=20
Ha.=20
=20
=20

---
"Immunity also gets a lot of requests for /instmsg/alias/dave, which=20
doesn't exist. I'm curious what web client plugin causes this behavior.=

=20

And, I've noticed FrontPage makes PROPFIND, /_vti_bin/shtml.dll, and=20
other FrontPage-style requests. Somewhere here I smell an exploitable=20
client-side vulnerability."
---

=20
=20
I'm curious do we know this is MSN messanger? Anybody else know if AIM or=

 another client sends

these requests?
=20
- zeno
=20
=20

--=20
Dave Aitel <dave () immunitysec com>
Immunity, Inc

--=-JDGRKxNXGaJQ/wbvHyBY
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9rCF7B8JNm+PA+iURAvV/AKDxWhCZrGtmz9y3eyCSgab3DuO2uQCgq405
U+FUmm26fv9Lk/nBbOYwcZE=
=AFPz
-----END PGP SIGNATURE-----

--=-JDGRKxNXGaJQ/wbvHyBY--

Current thread:

Re: CROSS SITE-SCRIPTING Protection with PHP, (continued)
- - - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
    - Hashes,File protection,etc Dave Aitel (Oct 14)
    - Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
    - Re: Hashes,File protection,etc Dave Aitel (Oct 14)
    - /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
    - Re: /instmsg/alias/annoying_web_logs ;) Chip McClure (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Shawn K. Hall (RA/Security) (Oct 20)
    - Re: Hashes,File protection,etc Tony (Oct 15)
    - Re: Hashes,File protection,etc Roland Postle (Oct 15)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
    - Re: Hashes,File protection,etc Roland Postle (Oct 16)
    - Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)

(Thread continues...)