Re: M$loth messes with our sites (again)
This WebDNA talk-list message is from 2004
It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted...> I am aware that in the past there was discussion of people using> > http://username:password@domain.tld> > with their sites (for various purposes including Log Out from a secure site).> However, M$loth has disable this feature in order to paper over other problems> with their security model. Here are the details:> > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489----------------- From the 832894 security update :> A malicious user could also use this URL syntax to create a hyperlink that> appears to open a legitimate Web site but actually opens a deceptive (spoofed)> Web site. For example, the following URL appears to open> http://www.wingtiptoys.com but actually opens http://example.com:> > http://www.wingtiptoys.com@example.com----------------- And next week, from the 832895 security update:> Internet Explorer currently allows hyperlinks to contain any text.> Unfortunately, a malicious user could also use this HTML syntax to create a> hyperlink that appears to open a legitimate Web site but actually opens a> deceptive (spoofed) Web site.> >
http://goodsite.com> > To mitigate the issues that are discussed in the "Background information"> section of this article, the 832895 security update removes support for> handling HTML of this form in Internet Explorer and Windows Explorer. After> you install the 832895 security update, Windows Explorer and Internet Explorer> do not open HTTP or HTTPS sites by using a hyperlink that encloses additional> text. By default, if additional text is included in an HTTP or an HTTPS> hyperlink, a Web page with the following title appears:> > "Microsoft owns j00"> > Web authors should use the following proprietary syntax which will display the> link address and _only_ the link address on the page to ensure that web> surfers are not misdirected on the internet.> >
Reading their KB article 833786 makes it sound like this may not be far off.Rob MarquardtDesigner/Resident WireheadToast Design800 Washington Avenue NorthMinneapolis MN 55401612.330.9863 v612.321.9424 fwww.toastdesign.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted...> I am aware that in the past there was discussion of people using> > http://username:password@domain.tld> > with their sites (for various purposes including Log Out from a secure site).> However, M$loth has disable this feature in order to paper over other problems> with their security model. Here are the details:> > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489----------------- From the 832894 security update :> A malicious user could also use this URL syntax to create a hyperlink that> appears to open a legitimate Web site but actually opens a deceptive (spoofed)> Web site. For example, the following URL appears to open> http://www.wingtiptoys.com but actually opens http://example.com:> > http://www.wingtiptoys.com@example.com----------------- And next week, from the 832895 security update:> Internet Explorer currently allows hyperlinks to contain any text.> Unfortunately, a malicious user could also use this HTML syntax to create a> hyperlink that appears to open a legitimate Web site but actually opens a> deceptive (spoofed) Web site.> > http://goodsite.com> > To mitigate the issues that are discussed in the "Background information"> section of this article, the 832895 security update removes support for> handling HTML of this form in Internet Explorer and Windows Explorer. After> you install the 832895 security update, Windows Explorer and Internet Explorer> do not open HTTP or HTTPS sites by using a hyperlink that encloses additional> text. By default, if additional text is included in an HTTP or an HTTPS> hyperlink, a Web page with the following title appears:> > "Microsoft owns j00"> > Web authors should use the following proprietary syntax which will display the> link address and _only_ the link address on the page to ensure that web> surfers are not misdirected on the internet.> > Reading their KB article 833786 makes it sound like this may not be far off.Rob MarquardtDesigner/Resident WireheadToast Design800 Washington Avenue NorthMinneapolis MN 55401612.330.9863 v612.321.9424 fwww.toastdesign.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Rob Marquardt
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
variables in template (2000)
How much is too much? I can never remember the answer. (2002)
WebCatalog NT (1996)
Next X hits (1996)
WebCat2 several catalogs? (1997)
possible, WebCat2.0 and checkboxes-restated (1997)
Searchtitle (2000)
Site Test Please [OT] (2005)
WebCat2b13MacPlugin - [math][date][/math] problem (1997)
duplicate items in cart (1998)
Newbie Question (2003)
What really killed WebDNA? (2007)
db merge problem (2002)
Replace context problem ... (1997)
webcat- multiple selection in input field (1997)
Webstar 1.3.1 PPC (1997)
DB Line endings (2002)
countdown to date (2003)
NT License trade for Mac (2000)
Parameter Problem ATTN: Ken Grome (1998)