> -----Original Message----- > From: Windows NTBugtraq Mailing List > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, June 15, 2004 3:00 PM > To: [EMAIL PROTECTED] > Subject: MAGIC XSS INTO THE DNS: coelacanth > > Tuesday, June 15, 2004 > > The following courtesy of 'bitlance winter' adds an entirely new > dimension to the matter and also suggest some additional > peculiarities at play: > > <a href='http://"><plaintext>.e-gold.com'>foo</a> > > <a href='http://"><script>alert()<% > 2Fscript>.e-gold.com'>foo</a> > > these will inject arbitrary html and script into the site in the > context of the 'intranet zone', which means one no longer needs > to go out and setup a site with the dns issue, all one needs to > do is locate a functioning site, include their code into a > suitable url, either direct the target via that or place an > iframe elsewhere pointing to it.
Because the wildcarding is a bit too wild. For instance, "http://&money.e-gold.com/ " resolves. And, "http://&money;G-Money&OGbabyOG.e-gold.com/" resolves. In e-gold's case, they actually take the url line and render it variously in their dynamic html on their page. > > Still unclear how or why this can be interpreted into the site > or through the browser. > > credit: 'bitlance winter' > > > End Call > > -- > http://www.malware.com > > ----- > NTBugtraq Editor's Note: > > Want to reply to the person who sent this message? This list > is configured such that just hitting reply is going to result > in the message coming to the list, not to the individual who > sent the message. This was done to help reduce the number of > Out of Office messages posters received. So if you want to > send a reply just to the poster, you''ll have to copy their > email address out of the message and place it in your TO: field. > ----- > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
