[19265] in bugtraq
Re: Website executing javascript in SMS message
daemon@ATHENA.MIT.EDU (thomas sjogren)
Fri Feb 16 17:27:32 2001
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
X-Complaints-To: Administrator@postmaster.co.uk
Message-ID: <PM.4328.982357206@pmweb6.uk1.bibliotech.net>
Date: Fri, 16 Feb 2001 21:00:06 +0000
Reply-To: thomas sjogren <t_sjogren@POSTMASTER.CO.UK>
From: thomas sjogren <t_sjogren@POSTMASTER.CO.UK>
X-To: Stefan Laudat <stefan@worldbank.ro>
To: BUGTRAQ@SECURITYFOCUS.COM
>
Sounds rather apocalyptic, but please show me a serious attack code fit in the barely 160 characters of an SMS message. Or maybe technology have suddenly evolved where the sun shines earlier than here :)
>
Maybe itīs apocalyptic, but
<xMETA HTTP-EQUIV="Refresh"x CONTENT="0;URL=http://www.cr4sh.com"x>
is all you need and itīs not 160 characters (the xīs should be excluded).
Sure, this is not a serious attack code, but if youīre
redirected to a website with a malicious code on it the above code could be used as a attack code.
>
OTOH, as long as ONE service provider is involved here, shouldn't you be working with it to fix a incipient form of attack instead of waving flags on public list in order to generate panic and to eventually
get kudos ?
>
Yes itīs only one service provider, just like Hotmail.
Why didnīt I contact mtnsms? I did, and their reply was: "Why did you send us this letter?". They are not, as I see it, interested in a fix. So why not inform about this and maybe notify people working whis this kind of services?
/Thomas
--
url: www.freespeech.org/screams
-----BEGIN PGP SIGNATURE-----
iQA/AwUAOj+s0Epl7KAh2d9BEQK9pwCf
Qt7re02wzZxcGJPyqQyWWQAFnPMAn2yf
EdhkgV7kgJXEXPomwWapRj4K=No9l
-----END PGP SIGNATURE-----
