[Full-Disclosure] Global *.net XSS, thank you Verisign(TM)

[<xss_slut@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quite recently, Verisign took over the internet. What parts, you might

ask?

Well, the parts in nomad land.

Do a dig on _anything_you_like.net, and you'll find an IP. Point a
browser at http://junkurlblahblah.net, and you'll find yourself at
sitefinder.verisign.com

This by it's self doesn't create a vulnerability, however, when combined

with a XSS bug, this works in IE:

http://";alert('slut');".net

This wildcard DNS on the .net TLD will wreck havoc on mail
servers, and a few other utilities that don't cleanly validate DNS names.


Other less exciting versions of this XSS:

http://sitefinder.verisign.com/lpc?url=meow'><script>alert(document.cookie)</script><'


There is some other really funky stuff going on with JS on the sitefinder

site - - take a peek at the source under the portal pages.

Finally, Verisign, you are now the number 1 domain squatter. Eat a big

bowl of dicks.

- -xss_slut

This post has been brought by the letter S and the number 4

Greets to your grandmother.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9mhQUACgkQmrMv95saTV/9TwCgl3TO4LArZLqLc0l8eMfyVMSulfoA
oKQm79sqnuF7sCtViw/BHcDHG82R
=rVGU
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html