Forums Últimos mensajes - Powered by IBM
 
Tags Palabras claves

Hasta el propio microfot reconoce la vulnerabilidad de la URL falsificada

03/02/2004 - 19:46 por superdelphinet | Informe spam
Ayuda Hacer una pregunta
Después de negar e insultar a quien se atrevía a decir que la
vulnerabilidad de la URL falsificada existiese, y de afirmar varias
veces que todo era por la sintáxis de las URL resulta que microsoft
publica un parche contra la vulnerabilidad.

Pero claro con tal de llevar la razón, ya si existe problema, pero es
fallo, no vulnerabilidad, cosa que antes se negaba.

Pero resulta que en

http://www.microsoft.com/technet/tr...04-004.asp

aparece en notas técnicas:

A vulnerability that involves the incorrect parsing of URLs that
contain special characters. When combined with a misuse of the basic
authentication feature that has "username:password@" at the beginning
of a URL, this vulnerability could result in a misrepresentation of
the URL in the address bar of an Internet Explorer window. To exploit
this vulnerability, an attacker would have to host a malicious Web
site that contained a Web page that had a specially-crafted link. The
attacker would then have to persuade a user to click that link. The
attacker could also create an HTML e-mail message that had a
specially-crafted link, and then persuade the user to view the HTML
e-mail message and then click the malicious link. If the user clicked
this link, an Internet Explorer window could open with a URL of the
attacker's choice in the address bar, but with content from a Web Site
of the attacker's choice inside the window. For example, an attacker
could create a link that once clicked on by a user would display
http://www.tailspintoys.com in the address bar, but actually contained
content from another Web Site, such as http://www.wingtiptoys.com.
(Note: these web sites are provided as an example only, and both
redirect to http://www.microsoft.com.

¡Que cosas microsoft le llama vulnerabilidad!

Me da igual que sea vulnerabilidad que fallo, lo que no permito es que
se insulte con arrogancia y prepotencia inadmisible
email Siga el debateRespuesta 15 respuestasRespuesta Tengo una respuesta
DRAGON AGE™: INQUISITION – Matadragones
 

Leer las respuestas

#1 JM Tella Llop [MVP Windows] ·
03/02/2004 - 19:53 | Informe spam
Fijemonos por ejemplo, en la informacion dada por
VsAntivirus:
http://www.vsantivirus.com/vulms04-004.htm

habla de bvulnerabilidades que corrige el parche MS04-004
y además espresa claramente:
-
También corrige el fallo que permite mostrar una dominio
falso en la barra de direcciones, utilizado últimamente
para realizar estafas a usuarios de la banca electrónica
y de tarjetas de crédito, entre otros
-

Por cierto.. javier. como te has pasado de la raya.. te vamos a dar un tioquecito

Jose Manuel Tella Llop
MVP - Windows

http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.


wrote in message news:
Después de negar e insultar a quien se atrevía a decir que la
vulnerabilidad de la URL falsificada existiese, y de afirmar varias
veces que todo era por la sintáxis de las URL resulta que microsoft
publica un parche contra la vulnerabilidad.

Pero claro con tal de llevar la razón, ya si existe problema, pero es
fallo, no vulnerabilidad, cosa que antes se negaba.

Pero resulta que en

http://www.microsoft.com/technet/tr...04-004.asp

aparece en notas técnicas:

A vulnerability that involves the incorrect parsing of URLs that
contain special characters. When combined with a misuse of the basic
authentication feature that has "username:password@" at the beginning
of a URL, this vulnerability could result in a misrepresentation of
the URL in the address bar of an Internet Explorer window. To exploit
this vulnerability, an attacker would have to host a malicious Web
site that contained a Web page that had a specially-crafted link. The
attacker would then have to persuade a user to click that link. The
attacker could also create an HTML e-mail message that had a
specially-crafted link, and then persuade the user to view the HTML
e-mail message and then click the malicious link. If the user clicked
this link, an Internet Explorer window could open with a URL of the
attacker's choice in the address bar, but with content from a Web Site
of the attacker's choice inside the window. For example, an attacker
could create a link that once clicked on by a user would display
http://www.tailspintoys.com in the address bar, but actually contained
content from another Web Site, such as http://www.wingtiptoys.com.
(Note: these web sites are provided as an example only, and both
redirect to http://www.microsoft.com.

¡Que cosas microsoft le llama vulnerabilidad!

Me da igual que sea vulnerabilidad que fallo, lo que no permito es que
se insulte con arrogancia y prepotencia inadmisible

Preguntas similares

 

Busqueda sugerida :