Home page logo

fulldisclosure logo Full Disclosure mailing list archives

CERT: Vulnerability in web redirectors
From: <hack4life () hushmail com>
Date: Fri, 21 Mar 2003 10:37:15 -0800

Hash: SHA1


This release isn’t up to the same standard as my other three, my apologies
for that.

Your mileage with this vulnerability may vary; some people will think
it’s irrelevant; some may be able to make use of it. But its not for
me to judge whether it should be released, CERT obviously thinks its
worth while, so I’ve take the choice out of their hands too and released
it anyway.

I have decided on a new policy for release of vulnerabilities. In future
all vulnerabilities will be released at approximately 7pm on Friday evenings.
This is to give hackers the maximum amount of time to actively exploit
the vulnerability before sys-admins, CERT, and Vendors can act to patch
the issue on Monday morning after their weekend off.

Many people seem to have forgotten that holes are not released to help
the Admins, they are there to help the hackers and that is who should
be using them!

I will release a further hole at the same time next week.


Still Hacking, Still Kicking Arse



Microsoft has contacted us regarding an issue reported to Bugtraq a
while ago. This vulnerability affects a number of different portal
sites. They have asked us to contact sites we think may be
affected. If you can think of any other sites vulnerable to this
problem, we would appreciate your feedback.

The issue involves web redirectors. It looks like spammers are
targeting these in attempt to legitimize their activities, by using
redirected URLs so that spam victims think the URL's in spam are

Here's an example:

http://go.msn.com/0000/5/1.asp?target= - this is
pretty straightforward - it uses the http://go.msn.com/0000/5/1.asp
page to redirect to the IP address of Microsoft.com. This page is a
legitimate service for MSN - for example one of the things they use
pages like this for is to redirect users in UK who type in www.msn.com
to www.msn.co.uk.

What spammers are doing is using these to bounce off in an attempt to
look legitimate. By further obfuscation of the URL with dotless IP
addresses and unicode characters, you get left with a URL where the
only distinguishable name in the URL is 'go.msn.com', which looks

There's 2 issues here:

1. Users are being tricked into going to what they think is a
legitimate site they trust, but are in fact being steered off to
another site which they are unlikely to trust. This could be a hostile
site, an unsavory site, or worse, a site mocked up to look like the
trusted site in an attempt to further trick the user.

2. The servers that handle this service are scaled for the specific
service they provide. MSN understands the throughputs and loads and
have capacity planned as such. If spammers start to make widespread
use of this method, they could in effect cause a Denial of Service to
elements of MSN (or insert your favorite portal here).

The way spammers are identifying these redirectors is pretty
straightforward. In Internet Explorer it is possible to inspect a URL
in the status bar without following it, just by mousing over it (you
need "View|status bar" enabled). Most of the big portals have at least
one redirector right on their home page, and by simply mousing over
all the URL's you can quickly identify those that are redirecting to
another domain. You can then copy the URL to the clipboard, paste it
into a document and delete the proper target domain and insert the new
target domain. You then copy the new URL into your spam e-mail.

So, please evaluate your exposure to this problem and let us know in
the form of a vendor statement. We understand that fixing this problem
may require some architectural changes, so we don't expect it to be
solved overnight.

We have not yet established a timeframe for publishing information
regarding this problem.


- --

Ian A Finlay <iaf () cert org>     CERT (R) Coordination Center
My Key Fingerprint: 8E45 ED14 46D5 F9EF 18C1 5BC7 301E B19A F081 F52C
CERT/CC Fingerprint: E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27

Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify


Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]