[vox-tech] OT: one of the most pernicious spams i've ever seen.

Ken Bloom vox-tech@lists.lugod.org
Thu, 25 Sep 2003 22:27:12 -0700 

--ALfTUftag+2gvp1h
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On 2003.09.25 21:53, Rob Rogers wrote:
> Again, I still had my previous emails in my head, and was continuing =20
> from there, making assumptions about things without specifying them. =20
> I believe we're talking about two very different things here. The =20
> only Hotmail exploits I've seen have had to do with a username as an =20
> argument at the end of a URL. for instance =20
> http://www.hotmail.com/cgi-bin/login?lang=3DEN&country=3DUS&login=3Duser1
>=20
> In that case, your browser has no idea what/where your username is,  =20
> or  even if there is one there. There is really no way to tell =20
> (assuming  "login" could be replaced by anything). What I was talking=20

> about was  a  URL formated in the form we saw in the original email: =20
> http://username:password@www.example.com/
>=20
> If you can show a case where a browser was passing on that whole URL,=20

> including the username and password, I'd be interested in seeing it. =20
> I'm  not saying it hasn't happened, but I'd be surprised. That is=20
> what I  was  refering to as a "MAJOR security flaw." Actually, I take=20
> that back. I  wouldn't be surprised to see that it has happened. I=20
> would be  surprised  to see one of the major browsers that still has=20
> such a security hole in it.

Well, Galeon (and probably Mozilla) appear to be OK. I setup netcat to=20
listen on a port, then set up a web page on my computer's tiny personal=20
web server to connect to that port through a hyperlink. I connected to=20
the page with the URL: http://bloom@localhost/~bloom/test.html, (the
browser continued to show this url, as written) then clicked the link.
The result in netcat's window:

GET / HTTP/1.1
Host: 127.0.0.1:2487
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)
Gecko/20030908 Galeon/1.3.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,
text/plain;q=3D0.8,video/x-mng,image/png,image/jpeg,image/gif;q=3D0.2,*/*;q=
=3D0.1
Accept-Language: en,he;q=3D0.7,fr;q=3D0.3
Accept-Encoding: gzip, deflate, compress;q=3D0.9
Accept-Charset: UTF-8,*
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/~bloom/test.html

I'm sure that once upon a time, somebody made this mistake. Try this
with
IE.

--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***

--ALfTUftag+2gvp1h
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/c84vlHapveKyytERAhVZAJ4lsOROJWynOPtxfi2Y1J2/Y/aAfACgk3I7
DfSKw76eWJI2Gk6Ne8mJQS4=
=2vEo
-----END PGP SIGNATURE-----

--ALfTUftag+2gvp1h--