Re: URLs with hexcode-obscured IPs still work?

[Joerg Mayer <jmayer () loplof de>]

On Wed, Nov 26, 2008 at 11:38:52PM +0100, niclas wrote:
> Today I received a phishing mail containing a link which obscures the
> IP-address as a hexadecimal number. The URL looks like this:
>
> http:// 0x ded 6d8a1/www.paypal.com/int ... /index.htm
>
> (Spaces added to circumvent phishing filters.)
>
> This seems to be an old problem, and links like that - IMHO - just
> shouldn't work. They don't do when using proxy servers, but they do in
> some Firefox-versions, in Konqueror and in Microsoft's Internet Explorer.
...
> Why does this still work?

This is not really a feature of the browsers but of the underlying library
routines that do the resolving (yes, most OS' have this interesting feature).

It looks like while most browsers just pass the host part to the library
routines, the proxy (proxies) that you tested don't but do some checking
first, or they use different library routines.

 ciao
    Joerg

--
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/