l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 Dec 12 16:51

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] New phishing vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] New phishing vulnerability



On Fri, Dec 12, 2003 at 12:52:07AM -0800, Bill Kendrick wrote:
> Ah - here we go :)
> 
> 
> New IE Bug Hides Real Site Address
>     from the can't-blame-the-user-for-this-one dept.
>     posted by michael on Thursday December 11, @08:37 (ie)
>     http://slashdot.org/article.pl?sid=03/12/11/1319212

Reading the comments turned up something even scarier (when combined with this). First, I found out how to put the 0x01 directly in the html with a &#1. Second, there's a bug in both IE and Mozilla (just tested with 1.5.whatever's latest in Debian Sid) that nothing after a %00 will show up in the status bar. Combine the two, and (in IE) nothing after the username shows up in either the status bar or the URL bar.

POC
http://wizardstower.net/ie.html

The "Click me" link points to http://www.paypal.com&#1%00@wizardstower.net but on IE I see nothing after .com, and on Moz I see nothing after the 0x01 character (showing as one of those funky 'unknown character' type boxes)
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.