Re: Using domain whois information for fun and profit

[bkfsec <bkfsec () sdf lonestar org>]

Joachim Schipper wrote:

> Why not? It's not like it's internic's problem that some
> people/programmers do stupid things.
>
> Blacklists wouldn't work anyway, and it's, again, not internic's fault
> or problem.
>
> And there is no reason to use a web-based client when all serious
> networking operating systems come with a whois client supplied (or at
> least very, very easily installed).
>
>         
>  

It may not be internic's fault per-se, but this does constitute an issue 
that should be dealt with.

The question is one of data format.   It's always data format.  Almost 
every kind of input system has legal/illegal characters and bounding 
limitations of one form or another.  I think that it's fairly obvious 
that the format of the data being fed to them (and by them) should be 
their concern.

Whois information is not intended to be script.  As you pointed out, 
many major operating systems come with a text-based whois client and 
that whois client is meant to process plaintext data.   It's a 
formatting issue, plain and simple.  The field allows for formatting in 
its text that is not meant to be processed in the way that it's 
presented and as such that formatting represents bad IO. 

So, yes, it is their problem.  As much as it's a website's problem if 
someone is using XSS to grab session cookies using their posting 
mechanisms.  Not much different, really.

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/