Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Security issue in Microsoft Outlook

From: Dan Margolis <lists.fd.dmargoli () af0 net>
Date: Mon, 23 May 2005 17:55:43 -0400
On Mon, May 23, 2005 at 01:25:35PM -0700, David Cleveland wrote:

I was able to duplicate.  After creating the url link, I put the cursor
right after the 'www.' And typed in the 'foo-labs.info'.  Then I delete
everything after 'info' and sent it.  The link read foo-labs and went to
cybertrion.


After much trials and tribulations, I was able to replicate this. And
you know what? IT'S THE EXACT SAME RESULT AS IF SOMEONE HAD CLICKED
"EDIT" AND CHANGED THE URL!

So, what this means is that there is a "bug" in Outlook by which one
can, if one has not clicked off the link since creating it, create a
link, alter it, and not have the target altered to the new URL. I say
"bug" in quotes because what presumably is going on is the function that
updates the target is not called, leaving the old target in there. 

Is this a security risk? NO! The reporter is a troll or a moron! Since
my prior sarcasm was apparently lost on some readers, THIS IS A FEATURE
OF HTML! Links can point to other places than the text in between the
link tags! If they couldn't, there'd be no point to having links!

If you have a problem with this, go back to using Gopher--or better yet,
stop using the Internet. We'll all miss your valuable input. 

Once and for all: THIS IS NOT A VULNERABILITY. Now, can we all let this
stupid thread die?

Thanks and have a great day. :)
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: