Full Disclosure mailing list archives
Re: Using domain whois information for fun and profit
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 03 Mar 2006 15:23:08 -0500
Joachim Schipper wrote:
Why not? It's not like it's internic's problem that some people/programmers do stupid things. Blacklists wouldn't work anyway, and it's, again, not internic's fault or problem. And there is no reason to use a web-based client when all serious networking operating systems come with a whois client supplied (or at least very, very easily installed).
It may not be internic's fault per-se, but this does constitute an issue that should be dealt with.
The question is one of data format. It's always data format. Almost every kind of input system has legal/illegal characters and bounding limitations of one form or another. I think that it's fairly obvious that the format of the data being fed to them (and by them) should be their concern.
Whois information is not intended to be script. As you pointed out, many major operating systems come with a text-based whois client and that whois client is meant to process plaintext data. It's a formatting issue, plain and simple. The field allows for formatting in its text that is not meant to be processed in the way that it's presented and as such that formatting represents bad IO. So, yes, it is their problem. As much as it's a website's problem if someone is using XSS to grab session cookies using their posting mechanisms. Not much different, really.
-bkfsec _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Using domain whois information for fun and profit bkfsec (Mar 03)
- <Possible follow-ups>
- Re: Using domain whois information for fun and profit Steven Rakick (Mar 03)
- Re: Using domain whois information for fun and profit bkfsec (Mar 03)