On 2003.09.25 21:53, Rob Rogers wrote: > Again, I still had my previous emails in my head, and was continuing > from there, making assumptions about things without specifying them. > I believe we're talking about two very different things here. The > only Hotmail exploits I've seen have had to do with a username as an > argument at the end of a URL. for instance > http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1 > > In that case, your browser has no idea what/where your username is, > or even if there is one there. There is really no way to tell > (assuming "login" could be replaced by anything). What I was talking
> about was a URL formated in the form we saw in the original email: > http://username:[EMAIL PROTECTED]/ > > If you can show a case where a browser was passing on that whole URL, > including the username and password, I'd be interested in seeing it. > I'm not saying it hasn't happened, but I'd be surprised. That is > what I was refering to as a "MAJOR security flaw." Actually, I take > that back. I wouldn't be surprised to see that it has happened. I > would be surprised to see one of the major browsers that still has > such a security hole in it. Well, Galeon (and probably Mozilla) appear to be OK. I setup netcat to listen on a port, then set up a web page on my computer's tiny personal web server to connect to that port through a hyperlink. I connected to the page with the URL: http://[EMAIL PROTECTED]/~bloom/test.html, (the browser continued to show this url, as written) then clicked the link. The result in netcat's window: GET / HTTP/1.1 Host: 127.0.0.1:2487 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030908 Galeon/1.3.9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language: en,he;q=0.7,fr;q=0.3 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: UTF-8,* Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/~bloom/test.html I'm sure that once upon a time, somebody made this mistake. Try this with IE. -- I usually have a GPG digital signature included as an attachment. See http://www.gnupg.org/ for info about these digital signatures. My key was last signed 6/10/2003. If you use GPG, *please* see me about signing the key. ***** My computer can't give you viruses by email. ***
pgp00000.pgp
Description: PGP signature
