[35246] in bugtraq
FOUND: COELACANTH: Phreak Phishing Expedition
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Fri Jun 11 13:51:18 2004
Message-Id: <200406110103.i5B13lf6012016@web185.megawebservers.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 11 Jun 2004 01:03:47 -0000
From: "http-equiv@excite.com" <1@malware.com>
Cc: <NTBugtraq@listserv.ntbugtraq.com>
Reply-To: 1@malware.com
From the original discover, 'bitlance winter' one big fat
coelacanth:
<a href="http://www.malware.com%2F redir=www.e-gold.com">test</a>
"i guess that this issue is not e-gold's BUG,
IE6 and Opera7.51 is vulnerable.
Some server's DNS allow magic number subdomainname.
the server allow ,
www.site.tld
wwwww.site.tld
wwwwwwwwwwww.site.tld
www www.site.tld
wwwURLEncodecharcterswww.site.tld
when the server allows URLEncodecharacters
evil attackers can fake victim users who use Opera and IE .
the attacker will make their DNS
*.evilsite.tld IN A 333.333.333.333
using this DNS,
victim's IE can shows victim
http://w.evilsite.tld
http://wwwwwwwwwwwwwwwwwww.evilsite.tld
and then,
attacker makes an evil link as
http://www.microsoft.com [malicious falke char$] evilsite.tld
and then, attacker set tricks
Bugtraq: Stupid Phishing Tricks (you find it)
victim user will input his userID and password.
I guess many server's DNS allow
*.evilsite.tld IN A 333.333.333.333
because they use magicnumber SSL cert.
Attacker can use this method."
--
http://www.malware.com
