[IP] more on Over and out

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Over and out
From: Dave Farber <dave@xxxxxxxxxx>
Date: Fri, 30 Jan 2004 16:04:24 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx


Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Fri, 30 Jan 2004 14:46:43 -0600
From: Mike Skallas <user245@xxxxxxxxxxx>
Subject: Re: [IP] more on (seems it is not just IE -- ) MSFT: don't click on
 links, type them in by hand
To: dave@xxxxxxxxxx

>this vulnerability is also present in Mozilla, so Mr. Link'ssolution >fails on its merits.


This is simply untrue.  You can test the vulnerability here:

http://www.secunia.com/internet_explorer_address_bar_spoofing_test

On firebird .7 the URL box reads:

http://www.microsoft.com%01%00@xxxxxxxxxxx/internet_explorer_address_bar_spoofing_test/

On Mozilla 1.5 it reads:

http://www.microsoft.com%01%00@xxxxxxxxxxx/internet_explorer_address_bar_spoofing_test/

On IE 6 it reads:

http://www.microsoft.com


Mike
http://everythingisnt.com

and

From: Steven Champeon <schampeo@xxxxxxxxxxx>
Subject: Re: [IP] more on (seems it is not just IE -- ) MSFT: don't click on
 links, type them in by hand
X-Originating-IP: [127.0.0.1]
To: Dave Farber <dave@xxxxxxxxxx>
Cc: bc@xxxxxxxxxxxxxxx

on Fri, Jan 30, 2004 at 03:36:08PM -0500, Dave Farber wrote:
> Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
> Date: Fri, 30 Jan 2004 14:13:34 -0500 (EST)
> From: Bruce Campbell <bc@xxxxxxxxxxxxxxx>
> Subject: Re: [IP] [Boing Boing Blog] MSFT: don't click on links,
>  type them in by hand
> To: dave@xxxxxxxxxx

<snip>

> I'd be interested in knowing what browsers/mail readers fail the test.

Safari 1.1.1 (Panther) passes with flying colors, FWIW - the entire URL,
%00 and all, is displayed in the status bar (if shown). But the link still
takes you to clicknation.com.

If the status bar is hidden, which is possible by way of a window.open()
Javascript call with the right parameters - which can be launched by an
unwitting user clicking on a link with an onclick event handler defined
- then all bets are off.

Steve

--
hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com
Book publishing is second only to furniture delivery in slowness. -b. schneier

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Windows systems too insecure for online voting
Next by Date: [IP] Microsoft Offers Reward For Worm Authors
Previous by thread: [IP] Windows systems too insecure for online voting
Next by thread: [IP] Microsoft Offers Reward For Worm Authors
Index(es):
- Date
- Thread