l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
June 4: Social gathering 		Next Installfest:
Saturday, January 26th 		Latest News:
Mar. 22: Slides from "Making Predictions Using Linux and R" talk 		Page last updated:
2003 Sep 25 22:40

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.

On 2003.09.25 21:53, Rob Rogers wrote:
> Again, I still had my previous emails in my head, and was continuing  
> from there, making assumptions about things without specifying them.  
> I believe we're talking about two very different things here. The  
> only Hotmail exploits I've seen have had to do with a username as an  
> argument at the end of a URL. for instance  
> http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1
> 
> In that case, your browser has no idea what/where your username is,   
> or  even if there is one there. There is really no way to tell  
> (assuming  "login" could be replaced by anything). What I was talking 

> about was  a  URL formated in the form we saw in the original email:  
> http://username:password@www.example.com/
> 
> If you can show a case where a browser was passing on that whole URL, 

> including the username and password, I'd be interested in seeing it.  
> I'm  not saying it hasn't happened, but I'd be surprised. That is 
> what I  was  refering to as a "MAJOR security flaw." Actually, I take 
> that back. I  wouldn't be surprised to see that it has happened. I 
> would be  surprised  to see one of the major browsers that still has 
> such a security hole in it.

Well, Galeon (and probably Mozilla) appear to be OK. I setup netcat to 
listen on a port, then set up a web page on my computer's tiny personal 
web server to connect to that port through a hyperlink. I connected to 
the page with the URL: http://bloom@localhost/~bloom/test.html, (the
browser continued to show this url, as written) then clicked the link.
The result in netcat's window:

GET / HTTP/1.1
Host: 127.0.0.1:2487
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)
Gecko/20030908 Galeon/1.3.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en,he;q=0.7,fr;q=0.3
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: UTF-8,*
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/~bloom/test.html

I'm sure that once upon a time, somebody made this mistake. Try this
with
IE.

--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***

Attachment: pgp00017.pgp
Description: PGP signature
LinkedIn
LUGOD Group on LinkedIn 		Sign up for LUGOD event announcements
Your email address: 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!