[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] RE: MAGIC XSS INTO THE DNS: coelacanth

To: "Windows NTBugtraq Mailing List" <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] RE: MAGIC XSS INTO THE DNS: coelacanth
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Wed, 16 Jun 2004 11:29:52 -0700

 

> -----Original Message-----
> From: Windows NTBugtraq Mailing List 
> [mailto:NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of 
> http-equiv@xxxxxxxxxx
> Sent: Tuesday, June 15, 2004 3:00 PM
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: MAGIC XSS INTO THE DNS: coelacanth
> 
> Tuesday, June 15, 2004
> 
> The following courtesy of 'bitlance winter' adds an entirely new
> dimension to the matter and also suggest some additional
> peculiarities at play:
> 
> <a href='http://&quot;&gt;&lt;plaintext&gt;.e-gold.com'>foo</a>
> 
> <a href='http://&quot;&gt;&lt;script&gt;alert()&lt;%
> 2Fscript&gt;.e-gold.com'>foo</a>
> 
> these will inject arbitrary html and script into the site in the
> context of the 'intranet zone', which means one no longer needs
> to go out and setup a site with the dns issue, all one needs to
> do is locate a functioning site, include their code into a
> suitable url, either direct the target via that or place an
> iframe elsewhere pointing to it.

Because the wildcarding is a bit too wild.

For instance, "http://&money.e-gold.com/ " resolves.

And, "http://&money;G-Money&OGbabyOG.e-gold.com/"; resolves.

In e-gold's case, they actually take the url line and render
it variously in their dynamic html on their page.



> 
> Still unclear how or why this can be interpreted into the site
> or through the browser.
> 
> credit: 'bitlance winter'
> 
> 
> End Call
> 
> --
> http://www.malware.com
> 
> -----
> NTBugtraq Editor's Note:
> 
> Want to reply to the person who sent this message? This list 
> is configured such that just hitting reply is going to result 
> in the message coming to the list, not to the individual who 
> sent the message. This was done to help reduce the number of 
> Out of Office messages posters received. So if you want to 
> send a reply just to the poster, you''ll have to copy their 
> email address out of the message and place it in your TO: field.
> -----
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] spamming trojan?
Next by Date: [Full-Disclosure] RE: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability
Previous by thread: Re: [Full-Disclosure] Checkpoint Firewall-1 IKE Vendor ID information leakage
Next by thread: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.
Index(es):
- Date
- Thread