[Dshield] New Paypal scam

John Dalton dubuque_1 at msn.com
Mon Sep 22 22:42:59 GMT 2003


John, Interesting enough, this is from the source on the original (which I
think I attached to the original post. Did the person get mixed up in
obfuscating the address and do it wrong/


href="http://www.paypal.com%2f@%32%31%31%2E%31%31%33%2E%31%38%36%2E%34%32/%7
0%70/%70%72%6F%63%65%73%73%69%6E%67%2E%68%74%6D">click

----- Original Message ----- 
From: "John Hardin" <johnh at aproposretail.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, September 22, 2003 12:26 PM
Subject: RE: [Dshield] New Paypal scam


> On Mon, 2003-09-22 at 10:03, Blanchard, Joe wrote:
> > <...isn't the host part delimited by the forward slash, though?
> >
> > That said, I wouldn't be at all surprised if the IE URL parser actually
> > *is* that broken.>
> >
> >
> > Nope. ftp://www.paypal.com@ftp.redhat.com Denotes User at domain_name but
in
> > lieu of ftp http: simply suggests login at domain_name. This is an old
tactic
> > I seem to remember seeing it in 4.0 days of IE too.
>
> The URL syntax is proto://{user{:password}@}host{:port}/path/to/file
>
> Note that the original URL had the @ *after* the first forward slash,
> thus if the URL were being parsed properly it would *not* be an
> effective redirect attack. Indeed it is not in mozilla/galeon. I got the
> PayPal welcome page, which I assume is their default for 404s.
>
> My questions (stated indirectly) were:
>
> 1) was this URL copied properly into the original email?
>
> 2) was this (malformed) attack URL indeed causing a "redirect" in some
> browsers? Meaning, were they helpfully ignoring the forward slash as a
> delimiter and parsing the "@whatever" as part of the host spec? This
> would indicate a severely broken URL parser.
>
> --
> John Hardin  KA7OHZ
> Internal Systems Administrator                    voice: (425) 672-1304
> Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
> -----------------------------------------------------------------------
>   There is no problem that cannot be solved by the appropriate
>   application of high explosives.
> -----------------------------------------------------------------------
>  44 days until Matrix Revolutions
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list