Re: M$loth messes with our sites (again)

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 55864
interpreted = N
texte = on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  2. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  3. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  4. Re: M$loth messes with our sites (again) 2004/02/03 ( Glenn Busbin 2004)
  5. Re: M$loth messes with our sites (again) 2004/02/03 ( Clint Davis 2004)
  6. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  7. Re: M$loth messes with our sites (again) 2004/02/03 ( "Sal D'Anna" 2004)
  8. Re: M$loth messes with our sites (again) 2004/02/03 ( Kalin Mintchev 2004)
  9. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  10. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  11. Re: M$loth messes with our sites (again) ( "Dan Strong" 2004)
  12. Re: M$loth messes with our sites (again) ( Clint Davis 2004)
  13. Re: M$loth messes with our sites (again) ( Rob Marquardt 2004)
  14. M$loth messes with our sites (again) ( John Peacock 2004)
on 2/3/04 9:06 AM, John Peacock at jpeacock@rowman.com so noted... > I am aware that in the past there was discussion of people using > > http://username:password@domain.tld > > with their sites (for various purposes including Log Out from a secure site). > However, M$loth has disable this feature in order to paper over other problems > with their security model. Here are the details: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 ----------------- From the 832894 security update : > A malicious user could also use this URL syntax to create a hyperlink that > appears to open a legitimate Web site but actually opens a deceptive (spoofed) > Web site. For example, the following URL appears to open > http://www.wingtiptoys.com but actually opens http://example.com: > > http://www.wingtiptoys.com@example.com ----------------- And next week, from the 832895 security update: > Internet Explorer currently allows hyperlinks to contain any text. > Unfortunately, a malicious user could also use this HTML syntax to create a > hyperlink that appears to open a legitimate Web site but actually opens a > deceptive (spoofed) Web site. > > http://goodsite.com > > To mitigate the issues that are discussed in the "Background information" > section of this article, the 832895 security update removes support for > handling HTML of this form in Internet Explorer and Windows Explorer. After > you install the 832895 security update, Windows Explorer and Internet Explorer > do not open HTTP or HTTPS sites by using a hyperlink that encloses additional > text. By default, if additional text is included in an HTTP or an HTTPS > hyperlink, a Web page with the following title appears: > > "Microsoft owns j00" > > Web authors should use the following proprietary syntax which will display the > link address and _only_ the link address on the page to ensure that web > surfers are not misdirected on the internet. > > Reading their KB article 833786 makes it sound like this may not be far off. Rob Marquardt Designer/Resident Wirehead Toast Design 800 Washington Avenue North Minneapolis MN 55401 612.330.9863 v 612.321.9424 f www.toastdesign.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Rob Marquardt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

ShowNext Command (1997) [Format thousands .2f] and negative values (2001) [include ...] behavior (1997) problems with 2 tags shakur (1997) shipcost (1997) To Use Cookies or Not To Use Cookies (2003) quotes and truncating? (1997) dbs in globals or site folder (2005) Storebuilder Problems...Looking for last minute heroic effort. (2004) New public beta available (1997) SiteGaurd file Cache vs webcatalog cache (1997) Can't find templaes (1997) Shownext! (1998) Protect and Serve (1999) [OT] XML Primer (2004) verify email address (1998) Help!!!! (1997) Cart doesn't interpret tag! (1997) Setting up WebCatalog with Retail Pro data (1996) [WebDNA] maybe silly suggestion? [founditems] (2015)