[Dshield] New Paypal scam

John Dalton dubuque_1 at msn.com
Mon Sep 22 22:42:59 GMT 2003

John, Interesting enough, this is from the source on the original (which I
think I attached to the original post. Did the person get mixed up in
obfuscating the address and do it wrong/


----- Original Message ----- 
From: "John Hardin" <johnh at aproposretail.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, September 22, 2003 12:26 PM
Subject: RE: [Dshield] New Paypal scam

> On Mon, 2003-09-22 at 10:03, Blanchard, Joe wrote:
> > <...isn't the host part delimited by the forward slash, though?
> >
> > That said, I wouldn't be at all surprised if the IE URL parser actually
> > *is* that broken.>
> >
> >
> > Nope. ftp://www.paypal.com@ftp.redhat.com Denotes User at domain_name but
> > lieu of ftp http: simply suggests login at domain_name. This is an old
> > I seem to remember seeing it in 4.0 days of IE too.
> The URL syntax is proto://{user{:password}@}host{:port}/path/to/file
> Note that the original URL had the @ *after* the first forward slash,
> thus if the URL were being parsed properly it would *not* be an
> effective redirect attack. Indeed it is not in mozilla/galeon. I got the
> PayPal welcome page, which I assume is their default for 404s.
> My questions (stated indirectly) were:
> 1) was this URL copied properly into the original email?
> 2) was this (malformed) attack URL indeed causing a "redirect" in some
> browsers? Meaning, were they helpfully ignoring the forward slash as a
> delimiter and parsing the "@whatever" as part of the host spec? This
> would indicate a severely broken URL parser.
> --
> John Hardin  KA7OHZ
> Internal Systems Administrator                    voice: (425) 672-1304
> Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
> -----------------------------------------------------------------------
>   There is no problem that cannot be solved by the appropriate
>   application of high explosives.
> -----------------------------------------------------------------------
>  44 days until Matrix Revolutions
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list