Re: M$loth messes with our sites (again)

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  2. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  3. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  4. Re: M$loth messes with our sites (again) 2004/02/03 ( Glenn Busbin 2004)
  5. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  6. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  7. Re: M$loth messes with our sites (again) 2004/02/03 ( "Sal D'Anna" 2004)
  8. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  9. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  10. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  11. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  12. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  13. Re: M$loth messes with our sites (again) ( Rob Marquardt 2004)
  14. M$loth messes with our sites (again) ( John Peacock 2004)
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Rob Marquardt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

variables in template (2000) How much is too much? I can never remember the answer. (2002) WebCatalog NT (1996) Next X hits (1996) WebCat2 several catalogs? (1997) possible, WebCat2.0 and checkboxes-restated (1997) Searchtitle (2000) Site Test Please [OT] (2005) WebCat2b13MacPlugin - [math][date][/math] problem (1997) duplicate items in cart (1998) Newbie Question (2003) What really killed WebDNA? (2007) db merge problem (2002) Replace context problem ... (1997) webcat- multiple selection in input field (1997) Webstar 1.3.1 PPC (1997) DB Line endings (2002) countdown to date (2003) NT License trade for Mac (2000) Parameter Problem ATTN: Ken Grome (1998)