[Full-Disclosure] Exclusive: Windows 2000 & Windows NT 4 Source Code Leaks
jB
jbistogood at hotmail.com
Thu Feb 12 19:29:20 GMT 2004
Yes, it's not an exploit, but close...
Seems MS just joined the open source alliance:
http://neowin.net/comments.php?id=17509&category=main
JB
----- Original Message -----
From: "mescsa" <mescsa at yahoo.com>
To: <full-disclosure at lists.netsys.com>
Sent: Monday, February 09, 2004 9:14 PM
Subject: Re: [Full-Disclosure] another product affected by recent MS IE '@'
patch
> Nick FitzGerald <nick at virus-l.demon.co.uk> wrote:
>> ...
>> and, most importantly, you should note that the "userinfo" part is
>> _outside_ the definition of "hostport", and thus outside the "host"
>> part. Ergo, HTTP URLs are explicitly (and presumably deliberately)
>> defined to _NOT_ support "userinfo" data so any implementation that
>> does is non-compliant.
>
> This is your interpretation of section 3.2.2 of RFC 2616.
>
> However section 3.2.1 of the same document states that
> "For definitive information on URL syntax and semantics," you
> should "see 'Uniform Resource Identifiers (URI): Generic Syntax
> and Semantics,' RFC 2396."
>
> Since there are neither any MUST NOTs in RFC 2616 nor any apparent
> technical reasons why userinfo should be banned from HTTP-URLs, it
> is clear that not everyone will follow your reasoning. That's why
> implementors have choosen to make use of the userinfo-part in
> services, protocols and user agents.
>
> Regards,
> mescsa
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Full-Disclosure is hosted and sponsored by Secunia.