Re: M$loth messes with our sites (again)

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  2. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  3. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  4. Re: M$loth messes with our sites (again) 2004/02/03 ( Glenn Busbin 2004)
  5. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  6. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  7. Re: M$loth messes with our sites (again) 2004/02/03 ( "Sal D'Anna" 2004)
  8. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  9. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  10. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  11. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  12. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  13. Re: M$loth messes with our sites (again) ( Rob Marquardt 2004)
  14. M$loth messes with our sites (again) ( John Peacock 2004)
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Rob Marquardt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

FW: ANother SHOWIF problem (1997) StoreBuilder UPS/XML code question ... (2003) CyberSource (2005) [WebDNA] [OT] Free Windows FTP client recommendations (2009) [cart] how is it generated (2002) Re:Virtual hosting and webcatNT (1997) WebCatalog 2.0.1 NT beta 1 released (1997) Upload Progress Bar (2003) Calendar (1997) Follow-up to listfiles bug report ... (2003) [OT] Happy Turkey Day! (2003) Multiple SSL Keys (1998) WebDNA Solutions ... sorry! (1997) PSC recommends what date format yr 2000??? (1997) Help!!!! (1997) WebCat2 - [include] tags (1997) Email notification to one of multiple vendors ? (1997) Version 4? (2000) Getting total number of items ordered (1997) Bugs? What Bugs? was:Spawning Holdup? (2000)