l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Sep 25 22:40

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.

On 2003.09.25 21:53, Rob Rogers wrote:
> Again, I still had my previous emails in my head, and was continuing  
> from there, making assumptions about things without specifying them.  
> I believe we're talking about two very different things here. The  
> only Hotmail exploits I've seen have had to do with a username as an  
> argument at the end of a URL. for instance  
> http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1
> In that case, your browser has no idea what/where your username is,   
> or  even if there is one there. There is really no way to tell  
> (assuming  "login" could be replaced by anything). What I was talking 

> about was  a  URL formated in the form we saw in the original email:  
> http://username:password@www.example.com/
> If you can show a case where a browser was passing on that whole URL, 

> including the username and password, I'd be interested in seeing it.  
> I'm  not saying it hasn't happened, but I'd be surprised. That is 
> what I  was  refering to as a "MAJOR security flaw." Actually, I take 
> that back. I  wouldn't be surprised to see that it has happened. I 
> would be  surprised  to see one of the major browsers that still has 
> such a security hole in it.

Well, Galeon (and probably Mozilla) appear to be OK. I setup netcat to 
listen on a port, then set up a web page on my computer's tiny personal 
web server to connect to that port through a hyperlink. I connected to 
the page with the URL: http://bloom@localhost/~bloom/test.html, (the
browser continued to show this url, as written) then clicked the link.
The result in netcat's window:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)
Gecko/20030908 Galeon/1.3.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
Accept-Language: en,he;q=0.7,fr;q=0.3
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: UTF-8,*
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/~bloom/test.html

I'm sure that once upon a time, somebody made this mistake. Try this

I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***

Attachment: pgp00017.pgp
Description: PGP signature

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.