Full Disclosure mailing list archives
Re: Global *.net XSS, thank you Verisign(TM)
From: Marc Slemko <marcs () znep com>
Date: Tue, 16 Sep 2003 07:20:28 -0700 (PDT)
On Mon, 15 Sep 2003 xss_slut () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quite recently, Verisign took over the internet. What parts, you might ask? Well, the parts in nomad land. Do a dig on _anything_you_like.net, and you'll find an IP. Point a browser at http://junkurlblahblah.net, and you'll find yourself at sitefinder.verisign.com This by it's self doesn't create a vulnerability, however, when combined with a XSS bug, this works in IE: http://";alert('slut');".net
And how is this a security issue that is of anything more than trivial importance? How is it a "global XSS" hole? The hole is on a page on sitefinder.verisign.com, not on the server that is answering for *.net and *.com. All that server does is redirect you. The impact of the hole is the same regardless of if the *.com and *.net wildcard exists or not. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Global *.net XSS, thank you Verisign(TM) xss_slut (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) James Greenhalgh (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Paul Holman (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) J.A. Terranson (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- Re: Global *.net XSS, thank you Verisign(TM) Marc Slemko (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) morning_wood (Sep 18)
- RE: Global *.net XSS, thank you Verisign(TM) Richard M. Smith (Sep 16)
- RE: Global *.net XSS, thank you Verisign(TM) tadpole-boy (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Scott Manley (Sep 16)
- Re: Global *.net XSS, thank you Verisign(TM) Jedi/Sector One (Sep 16)