Re: M$loth messes with our sites (again)

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  2. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  3. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  4. Re: M$loth messes with our sites (again) 2004/02/03 ( Glenn Busbin 2004)
  5. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  6. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  7. Re: M$loth messes with our sites (again) 2004/02/03 ( "Sal D'Anna" 2004)
  8. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  9. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  10. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  11. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  12. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  13. Re: M$loth messes with our sites (again) ( Rob Marquardt 2004)
  14. M$loth messes with our sites (again) ( John Peacock 2004)
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Rob Marquardt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

my SOS last week... (1996) SiteGuard Admin Feature ? (1997) setting HTTP response header (1998) Where is f2? (1997) Showif, Hideif reverse logic ? (1997) Corrupt Database Problem... (2000) Random question (1998) [WriteFile] problems (1997) Emailer Blackmail (1998) Help with Shipping Costs (1997) Car Database (2002) Anybody see this before? (2006) Where's Cart Created ? (1997) (2000) Reloading Shopping Carts (1998) Price and Formula.db (2002) redirect from the errorsMessages.db entry (1997) form data submission gets truncated (1997) SiteGaurd file Cache vs webcatalog cache (1997) List dead? (2000)