The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: "Архив документации" содержит более 50 Мб руководств для Linux и FreeBSD на русском и английском языках.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

%25c double-parse vulnerability exploitable via email


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 16 May 2001 11:58:00 -0400
From: yehuda <yehuda@essutton.com>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Subject: %25c double-parse vulnerability exploitable via email

	This may be obvious, but even if a server is not accessible to the
internet, you can exploit it via email. All you need is the following
information:

> 1 - an email address on their network. It must be one that someone will
> read, and the person must be using a reader that renders html mail.
> 2 - the hostname or IP of the win2k server
> 
> all you need to do is craft an html email to your mail user (see 1 above)
> with the %25c double-parse vulnerability as a url in the mail message.
> (Use an img tag so it will run automatically and attempt to download an
> "image".)
> 
> user reads the message, and blammo!
> 
	if an administrator feels he doesn't need to patch his win2k server
because it's not available on the internet, think again.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList