On Thu, 5 Sep 2002 [EMAIL PROTECTED] wrote: > * Most (MOST) posts to bugtraq get rejected
That would be, I imagine, because most of what arrives to [EMAIL PROTECTED] is spam. > * Security issues sent to bugtraq get 'sat on' by secfocus. Priority > customers get priority notice. Makes me wonder how much SF customers had to pay for 0-day knowledge of the http://www.ebay.com%...%40 trick. > Obviously the bugtraq moderators cannot see any issues with obfuscated > URL's that look like http://www.ebay.com%252f%40evil.site.goes.here. Considering the fact that you are the inventor of this technique, which has been used for ages to obfuscate URLs and play pranks on less knowledgeable users, and the fact that it does not buy you a thing - at least with a person who knows how URLs work... It's vulnerability the same way as SMTP is buggy because "From:" can be forged. Here's a typical, ancient example of this prank I grepped from my mailbox... http:[EMAIL PROTECTED]/britney/index.html Yes, you could fool a clueless user and make him think he's visiting www.microsoft.com and has to enter his credit card number now. But same way, you could fool him with a mail from "Administrator <[EMAIL PROTECTED]>". Or by telling him "I send you this file in order to have your advice". But the vulnerable component is the user who has insufficient knowledge about the tools he's using, not the software that is working pretty well. -- Michal Zalewski Opinions expressed herein are mine, but generally I disagree with them. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
