| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Mar 3 20:23:26 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Using domain whois information for fun and
profit
Joachim Schipper wrote:
>
>Why not? It's not like it's internic's problem that some
>people/programmers do stupid things.
>
>Blacklists wouldn't work anyway, and it's, again, not internic's fault
>or problem.
>
>And there is no reason to use a web-based client when all serious
>networking operating systems come with a whois client supplied (or at
>least very, very easily installed).
>
>
>
>
It may not be internic's fault per-se, but this does constitute an issue
that should be dealt with.
The question is one of data format. It's always data format. Almost
every kind of input system has legal/illegal characters and bounding
limitations of one form or another. I think that it's fairly obvious
that the format of the data being fed to them (and by them) should be
their concern.
Whois information is not intended to be script. As you pointed out,
many major operating systems come with a text-based whois client and
that whois client is meant to process plaintext data. It's a
formatting issue, plain and simple. The field allows for formatting in
its text that is not meant to be processed in the way that it's
presented and as such that formatting represents bad IO.
So, yes, it is their problem. As much as it's a website's problem if
someone is using XSS to grab session cookies using their posting
mechanisms. Not much different, really.
-bkfsec
Powered by blists - more mailing lists