Title: RE: FWD: Internet Explorer URL parsing vulnerability
umm tested this you dont need %01 either
btw.
[EMAIL PROTECTED]
was messing around with some hex stile as well is
there a way to call a file:// inside a http:// becos the issue with doing the @
trick is it appends http:// automat
Title: RE: FWD: Internet Explorer URL parsing vulnerability
ok if your using outlook , yay for IE being tied
in, it translates all the hex for you and those urls do work inside
of outlook , since IE can translate the hex, where as if u enter
it manually it dont.
- Original Message
Hello,
I have never heard of Astaro -- what type of firewall does it provide ?
how does it filter http , POP and smtp ?
For desktop A/V Etrust has a nice product.
For mail -- if you want a commercial product ( some companies require
this because then they have "vendor support" -- like a
Title: RE: FWD: Internet Explorer URL parsing vulnerability
Hmm, it doesn't seem to work on my browser :)
I don't even get transported to any page when i click the button.
But then again, i have everything turned off in the internet zone by default...
(but my submit non-encrypted form data is
Scam apparently...
Invalid Item
The item you requested (2769788079) is invalid, still pending, or no
longer in our database. Please check the number and try again. If this
message persists, the item has either not started and is not yet
available for viewing, or has expired and is no longer availa
yahoo claims to have fixed this problem. latest version is now 5.6.0.1356.
see http://messenger.yahoo.com/security/update4.html
afaik, the "Yahoo Messenger Flaw allows injection of JavaScript into IM
Windows" problem reported to bugtraq by chet simpson on 12/5 remains unfixed.
marc
At 04:06 1
http://www.citibank.com";
onClick="location.href=unescape('http://[EMAIL PROTECTED]
om'); return false;">Citibank will show http://www.citibank.com in the
status and location bar but direct them to wells fargo.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Here's a fully functional self-explanatory demo:
http://www.malware.com/hole-e-day.zip
functional from these quarters on fully patched IE6 / OE6
No doubt many will receive nice holiday greetings soon enough
END CALL
The following works on Outlook Express 6 latest everything. Running
on XP
Free Kevin with every Happy Meal
Tamer Sahin wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2769788079
Tamer Sahin
http://www.securityoffice.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (MingW32)
iD8DBQE/yjjngfeC/CdyvS8RAsU3AKDB
The following works on Outlook Express 6 latest everything. Running
on XP.
http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00249.html
09% pushes malware.com out of sight in the task bar, and %01 leaves
microsoft.com intact in the address bar:
http://www.microsoft.com%01%09%09%09%09%0
Michal Zalewski <[EMAIL PROTECTED]> wrote:
> > http://[EMAIL PROTECTED]
> > wont work until you
> > unescape('http://[EMAIL PROTECTED]');
>
> Out of sheer curiosity (no MSIE at hand)... would it work with:
>
> http://[EMAIL PROTECTED]">
>
> ...meaning, put literal ASCII character #001 in a h
"Clint Bodungen" <[EMAIL PROTECTED]> wrote:
> Well, using a straight link like the following works in an HTML email... but
> not on a web page:
>
> http://[EMAIL PROTECTED]">Microsoft
>
> However, using this approach still allows the user to see the absolute URL
> path in the task bar (with the
Are you guys getting slapped in the face with someone's SPAM filter with
this thread as well?
Everytime I send a post to the thread I'm getting it bounced back saying it
was flagged as SPAM.
Like I mentioned earlier... talk about irony.
___
Full-Disclosu
Well, using a straight link like the following works in an HTML email... but
not on a web page:
http://[EMAIL PROTECTED]">Microsoft
However, using this approach still allows the user to see the absolute URL
path in the task bar (with the %01 ommitted).
On the other hand... using the button and "
On Tue, 9 Dec 2003, S G Masood wrote:
> http://[EMAIL PROTECTED]
> wont work until you
> unescape('http://[EMAIL PROTECTED]');
Out of sheer curiosity (no MSIE at hand)... would it work with:
http://[EMAIL PROTECTED]">
...meaning, put literal ASCII character #001 in a href tag, as opposed to
--- Exibar <[EMAIL PROTECTED]> wrote:
> my favorite will be this one that I'm sure will
> circulate:
>
> http://[EMAIL PROTECTED]
>
> :-)
http://[EMAIL PROTECTED]
wont work until you
unescape('http://[EMAIL PROTECTED]');
>
> - Original Message -
> From: "S G Masood" <[EMAIL PROT
Talk about Irony! Well with that slap in the face I'll cease anymore
replies to THIS thread.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
On 09 Dec 03 10:22:59AM S G [EMAIL PROTECTED] wrote:
: ># POC ##
: >http://www.zapthedingbat.com/security/ex01/vun1.htm
:
Interestingly enough, MSIE for OS X doesn't display this behavior. My address
bar contained this URL:
http://[EMAIL PROTECTED]/security/ex01/vun2.htm
--
aka Dol
I don't really think it will make that much of a difference their profits
considering anyone dumb enough to fall for those scams isn't going to know
the difference between an IP address in the URL box and a "spoofed" domain.
I had a client fall for an eBay scam and the end resulting domain in the U
Zap The Dingbat http://www.zapthedingbat.com/ posted
this to Bugtraq:
Internet Explorer URL parsing vulnerability
Vendor Notified 09 December, 2003
# Vulnerability ##
There is a flaw in the way that Internet Explorer
displays URLs in the address bar.
By opening a specially crafted URL
LOL. This is so simple and dangerous, it almost made
me laugh and cry at the same time. Most of you will
realise why...;D
The Paypal, AOL, Visa, Mastercard, et al email
scammers will have a harvest of gold this month with
lots of zombies falling for this simple technique.
># POC ##
>http
[Full-Disclosure] Mailing List Charter
John Cartwright <[EMAIL PROTECTED]> and Len Rose <[EMAIL PROTECTED]>
Introduction & Purpose
--
This document serves as a charter for the [Full-Disclosure] mailing
list hosted at lists.netsys.com.
The list was created on 9th July 2002
S-Quadra Advisory #2003-12-09
Topic: @Mail web interface multiple security vulnerabilities
Severity: Average
Vendor URL: http://www.atmail.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031209.txt
Release date: 09 Dec 2003
1. DESCRIPTION
"@Mail is a feature rich
23 matches
Mail list logo