Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: re: Microsoft Outlook Web Access URL Injection
From: Valdis.Kletnieks () vt edu
Date: Mon, 07 Feb 2005 14:26:27 -0500

On Mon, 07 Feb 2005 09:27:25 PST, morning_wood said:
looks like MS is NOT publicly releasing a fix for this, while they have the
means and solution at hand.
( at least under IE )
a kind reader sent this little snippet...

"... was able to get Microsoft to provide us with a DLL
to drop under IIS 6 to compare URL variable against the Host: header
variable and do 302 to web root if they are not similar.  This fixed the
problem, however, I doubt that Microsoft will make this patch available to
the public."

what happend to MS commitment to security???

They figured they'd spent the budget for the quarter for PR proclaiming their
commitment to security.  Remember - they're nowhere near as committed to
security as they are to the bottom line.  A $20M PR campaign will sway a lot
of managers, while a $200M project to actually fix things won't be noticed.
Which would *you* choose if you were them?

(Note that this is heavily dependent on corporate culture - for instance,
if some VP at Google tried that same money-saving stunt, he'd probably get
called in, pointed at the "Don't be evil" sign, and told to find some OTHER
way to save the $180M...  But as far as I know, there isn't any such sign
in Redmond....)

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]