[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!

To: dfbarth@akiva.com, full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
From: psz@maths.usyd.edu.au (Paul Szabo)
Date: Sun, 11 Jan 2004 16:37:21 +1100 (EST)

> ... and I've got this question for the list:
>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@211.239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the 0x01 exploit
> is 'good enough', what's with the extra characters?

Hmmm... where in there do you see %01? No, that is no 0x01 exploit, but
just user:password@host quasi-RFC-compliant usage. The string is long so
as to leave the user staring at the citibank+gibberish part, not to be
made suspicious of the @IP part.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
  - From: "David Bartholomew" <dfbarth@akiva.com>

Prev by Date: Re: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
Next by Date: [Full-Disclosure] re: Citibank phishing email
Previous by thread: Re: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
Next by thread: RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
Index(es):
- Date
- Thread