| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20081127101219.GV21516@thot.informatik.uni-kl.de>
Date: Thu, 27 Nov 2008 11:12:19 +0100
From: Joerg Mayer <jmayer@...lof.de>
To: niclas <lists@...enritter.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: URLs with hexcode-obscured IPs still work?
On Wed, Nov 26, 2008 at 11:38:52PM +0100, niclas wrote:
> Today I received a phishing mail containing a link which obscures the
> IP-address as a hexadecimal number. The URL looks like this:
>
> http:// 0x ded 6d8a1/www.paypal.com/int ... /index.htm
>
> (Spaces added to circumvent phishing filters.)
>
> This seems to be an old problem, and links like that - IMHO - just
> shouldn't work. They don't do when using proxy servers, but they do in
> some Firefox-versions, in Konqueror and in Microsoft's Internet Explorer.
...
> Why does this still work?
This is not really a feature of the browsers but of the underlying library
routines that do the resolving (yes, most OS' have this interesting feature).
It looks like while most browsers just pass the host part to the library
routines, the proxy (proxies) that you tested don't but do some checking
first, or they use different library routines.
ciao
Joerg
--
Joerg Mayer <jmayer@...lof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists