On Mon, 15 Sep 2003 [EMAIL PROTECTED] wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Quite recently, Verisign took over the internet. What parts, you might > > ask? > > Well, the parts in nomad land. > > Do a dig on _anything_you_like.net, and you'll find an IP. Point a > browser at http://junkurlblahblah.net, and you'll find yourself at > sitefinder.verisign.com > > This by it's self doesn't create a vulnerability, however, when combined > > with a XSS bug, this works in IE: > > http://";alert('slut');".net
And how is this a security issue that is of anything more than trivial importance? How is it a "global XSS" hole? The hole is on a page on sitefinder.verisign.com, not on the server that is answering for *.net and *.com. All that server does is redirect you. The impact of the hole is the same regardless of if the *.com and *.net wildcard exists or not. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
