[vox-tech] New phishing vulnerability

Ken Bloom vox-tech@lists.lugod.org
Thu, 11 Dec 2003 21:48:10 -0800


--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 11, 2003 at 08:52:04PM -0800, Larry Ozeran wrote:
> At 03:53 PM 12/11/03 -0800, you wrote:
> >On Thu, 2003-12-11 at 15:47, Larry Ozeran wrote:
> >> At 11:25 PM 12/9/03 -0600, you wrote:
> >> >> I use old browsers. MSIE 5.50 and Netscape 4.77 both work OK for me.
> >> >> (i.e.
> http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
> >> >> displays on the address line for both)
> >> >
> >> <snip>
> >>=20
> >> >On IE 5.0 on Windows, there was nothing after http://www.microsoft.co=
m ...
> >> and actually, if I go into the URL bar on IE and type
> >> http://www.microsoft.com, I will see in the history, almost the same l=
ink I
> >> see in Mozilla, except with the %01 replaced by a box (standard unprin=
table
> >> character)
> >>=20
> >> On IE 5.5 in Windows, I get the full address. Maybe MS fixed it in 5.5,
> >> then for some reason unfixed in 6.0?
> >
> >You can't replicate the problem by just pasting the link above into your
> address
> >bar. You need to access the link from here:
> >
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Press the "Test Exploit" button.
>=20
> The effect appears to require active script. Even going to that link, IE
> 5.5 won't go anywhere from the button with scripting turned off (how I
> default my browsers). It happens to be one of my pet peeves when coders u=
se
> scripting when a simple link will do.
>=20
> In NS 4.77, there is no button even with scripting on.

The button requires scripting, not the exploit.
The button read the code, and you'll see that the JavaScript way of=20
demonstrating the exploit is easier to stick in an HTML file than it=20
would be to actually try and stick an ASCII character #1 in there.

--=20
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about=20
signing the key. ***** My computer can't give you viruses by email. ***

--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/2VaalHapveKyytERAozsAJ9ssJUbl7sSl040V27RcEMvCcjSUACdHYPU
TjomGEk8Xj2MdK8cgl6IpV4=
=myI6
-----END PGP SIGNATURE-----

--3V7upXqbjpZ4EhLz--