Re: M$loth messes with our sites (again)

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  2. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  3. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  4. Re: M$loth messes with our sites (again) 2004/02/03 ( Glenn Busbin 2004)
  5. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  6. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  7. Re: M$loth messes with our sites (again) 2004/02/03 ( "Sal D'Anna" 2004)
  8. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  9. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  10. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  11. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  12. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  13. Re: M$loth messes with our sites (again) ( Rob Marquardt 2004)
  14. M$loth messes with our sites (again) ( John Peacock 2004)
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Rob Marquardt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Extended [ConvertChars] (1997) Upload Plugin (1998) suffix mapping, use of cache, etc. (1997) Performance Issue (2000) WebCat2 - [format thousands] (1997) WCS Newbie question (1997) Strange database format import (2000) Alternating BGColors in Table Rows (1998) [WebDNA] add rows dynamically (2018) can WC render sites out? (1997) Internet Explorer 6 Form problems (2005) Database Field Additions (2000) getchars broken? (1997) WebCat2b15MacPlugin - showing [math] (1997) Locking up with WebCatalog... (1997) Bug? (1997) WebCat2b13 Command Reference Doc error (1997) Only charge card when product shipped ? (1997) Re:Emailer and encryption (1997) Multi-Row Tables from a search. (1997)