[Dshield] New Paypal scam

John Hardin johnh at aproposretail.com
Mon Sep 22 17:26:27 GMT 2003


On Mon, 2003-09-22 at 10:03, Blanchard, Joe wrote:
> <...isn't the host part delimited by the forward slash, though?
> 
> That said, I wouldn't be at all surprised if the IE URL parser actually
> *is* that broken.>
> 
> 
> Nope. ftp://www.paypal.com@ftp.redhat.com Denotes User at domain_name but in
> lieu of ftp http: simply suggests login at domain_name. This is an old tactic
> I seem to remember seeing it in 4.0 days of IE too.

The URL syntax is proto://{user{:password}@}host{:port}/path/to/file

Note that the original URL had the @ *after* the first forward slash,
thus if the URL were being parsed properly it would *not* be an
effective redirect attack. Indeed it is not in mozilla/galeon. I got the
PayPal welcome page, which I assume is their default for 404s.

My questions (stated indirectly) were:

1) was this URL copied properly into the original email?

2) was this (malformed) attack URL indeed causing a "redirect" in some
browsers? Meaning, were they helpfully ignoring the forward slash as a
delimiter and parsing the "@whatever" as part of the host spec? This
would indicate a severely broken URL parser.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
-----------------------------------------------------------------------
 44 days until Matrix Revolutions




More information about the list mailing list