Full Disclosure mailing list archives
Re: URLs with hexcode-obscured IPs still work?
From: Joerg Mayer <jmayer () loplof de>
Date: Thu, 27 Nov 2008 11:12:19 +0100
On Wed, Nov 26, 2008 at 11:38:52PM +0100, niclas wrote:
Today I received a phishing mail containing a link which obscures the IP-address as a hexadecimal number. The URL looks like this: http:// 0x ded 6d8a1/www.paypal.com/int ... /index.htm (Spaces added to circumvent phishing filters.) This seems to be an old problem, and links like that - IMHO - just shouldn't work. They don't do when using proxy servers, but they do in some Firefox-versions, in Konqueror and in Microsoft's Internet Explorer.
...
Why does this still work?
This is not really a feature of the browsers but of the underlying library routines that do the resolving (yes, most OS' have this interesting feature). It looks like while most browsers just pass the host part to the library routines, the proxy (proxies) that you tested don't but do some checking first, or they use different library routines. ciao Joerg -- Joerg Mayer <jmayer () loplof de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- URLs with hexcode-obscured IPs still work? niclas (Nov 26)
- Re: URLs with hexcode-obscured IPs still work? Joerg Mayer (Nov 27)