[vox-tech] New phishing vulnerability

Larry Ozeran vox-tech@lists.lugod.org
Thu, 11 Dec 2003 20:52:04 -0800


At 03:53 PM 12/11/03 -0800, you wrote:
>On Thu, 2003-12-11 at 15:47, Larry Ozeran wrote:
>> At 11:25 PM 12/9/03 -0600, you wrote:
>> >> I use old browsers. MSIE 5.50 and Netscape 4.77 both work OK for me.
>> >> (i.e.
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
>> >> displays on the address line for both)
>> >
>> <snip>
>> 
>> >On IE 5.0 on Windows, there was nothing after http://www.microsoft.com ...
>> and actually, if I go into the URL bar on IE and type
>> http://www.microsoft.com, I will see in the history, almost the same link I
>> see in Mozilla, except with the %01 replaced by a box (standard unprintable
>> character)
>> 
>> On IE 5.5 in Windows, I get the full address. Maybe MS fixed it in 5.5,
>> then for some reason unfixed in 6.0?
>
>You can't replicate the problem by just pasting the link above into your
address
>bar. You need to access the link from here:
>
>http://www.zapthedingbat.com/security/ex01/vun1.htm
>
>Press the "Test Exploit" button.

The effect appears to require active script. Even going to that link, IE
5.5 won't go anywhere from the button with scripting turned off (how I
default my browsers). It happens to be one of my pet peeves when coders use
scripting when a simple link will do.

In NS 4.77, there is no button even with scripting on.

>
>> _______________________________________________
>> vox-tech mailing list
>> vox-tech@lists.lugod.org
>> http://lists.lugod.org/mailman/listinfo/vox-tech
>-- 
>R. Douglas Barbieri
>doug@dooglio.net
>http://www.dooglio.net
>
>GPG Fingerprint : FE6A 6A57 2B95 7594 E534  BFEE 45F1 9E5E F30A 8A27
>MIT.edu recv-key: C55B91D4
>GPG Public key  : http://www.dooglio.net/dooglio.asc
>
>Attachment Converted: "e:\eudora\attach\signature1.asc"
>