Ahh well, who would not remember the famous "unbreakable" DBMS... Their QA department is recruiting again: http://tinyurl.com/dork Cheers Steffen. On Thu, 2003-10-30 at 02:11, Bassett, Mark wrote: > Anyone want an Asus Motherboard from newegg? :) > > http://www.tinyurl/boob > > > Mark Bassett > Network Administrator > World media company > Omaha.com > 402-898-2079 > > > -----Original Message----- > From: Joel R. Helgeson [mailto:joel@helgeson.com] > Sent: Wednesday, October 29, 2003 5:19 AM > To: full-disclosure@netsys.com > Subject: [Full-Disclosure] TinyURL > > This is an information leak rather than a real vulnerability. I thought > it > might be of interest to others... > > www.tinyurl.com is a website that will convert a long url to a short > one. If > you want to email a link to say, driving directions on mapquest, the url > is > rather long and will get broken up. Tinyurl will store that long link, > and > give you a short one that looks like: http://tinyurl.com/abcd > > It appears that the last four letters are incremented one letter at a > time, > so my URL may be aaaa, then aaab, and so forth. > If people are using the tiny URL service to pass along URL's to > sensitive > information, it is easy to guess these URL's. > > I recently sent an email to someone with a tinyurl, and decided to > change > one character in the url and came across a link to a kiddie porn site... > http://tinyurl.com/stab > > Its a coincidence that stab is a word, but its just a few characters off > from my URL, staa & stac are also valid URL's. > > The TinyURL service should use a randomly created string, rather than > one > that is incremented by one character. Regardless, users of this service > could have the information they intend to share with others viewed by > anyone > that types in the string. > > Thoughts? > > Joel R. Helgeson > Director of Networking & Security Services > SymetriQ Corporation > > "Give a man fire, and he'll be warm for a day; set a man on fire, and > he'll > be warm for the rest of his life." > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
signature.asc
Description: This is a digitally signed message part