l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2003 Dec 12 02:15

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] New phishing vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] New phishing vulnerability



On Thu, Dec 11, 2003 at 08:52:04PM -0800, Larry Ozeran wrote:
> At 03:53 PM 12/11/03 -0800, you wrote:
> >On Thu, 2003-12-11 at 15:47, Larry Ozeran wrote:
> >> At 11:25 PM 12/9/03 -0600, you wrote:
> >> >> I use old browsers. MSIE 5.50 and Netscape 4.77 both work OK for me.
> >> >> (i.e.
> http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
> >> >> displays on the address line for both)
> >> >
> >> <snip>
> >> 
> >> >On IE 5.0 on Windows, there was nothing after http://www.microsoft.com ...
> >> and actually, if I go into the URL bar on IE and type
> >> http://www.microsoft.com, I will see in the history, almost the same link I
> >> see in Mozilla, except with the %01 replaced by a box (standard unprintable
> >> character)
> >> 
> >> On IE 5.5 in Windows, I get the full address. Maybe MS fixed it in 5.5,
> >> then for some reason unfixed in 6.0?
> >
> >You can't replicate the problem by just pasting the link above into your
> address
> >bar. You need to access the link from here:
> >
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Press the "Test Exploit" button.
> 
> The effect appears to require active script. Even going to that link, IE
> 5.5 won't go anywhere from the button with scripting turned off (how I
> default my browsers). It happens to be one of my pet peeves when coders use
> scripting when a simple link will do.
> 
> In NS 4.77, there is no button even with scripting on.

The button requires scripting, not the exploit.
The button read the code, and you'll see that the JavaScript way of 
demonstrating the exploit is easier to stick in an HTML file than it 
would be to actually try and stick an ASCII character #1 in there.

-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about 
signing the key. ***** My computer can't give you viruses by email. ***

Attachment: signature.asc
Description: Digital signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!