It didn't work here. It seems the cache only receives de 2nd part of the
address (as it seems access.log).
Realy hope M$ patches it quickly.
Regards,
J.T.
Joćo Tiago T. F. Silveira
Baterias AJAX Ltda.
Departamento de Informįtica
jttfsilveira@ajax.com.br <mailto:jttfsilveira@ajax.com.br>
http://www.ajax.com.br <http://www.ajax.com.br/>
-----Mensagem original-----
De: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Enviada em: quinta-feira, 11 de dezembro de 2003 13:29
Para: squid-users@squid-cache.org
Assunto: Re: [squid-users] filtering new IE exploit
On Thursday 11 December 2003 3:07 pm, DB wrote:
> I saw a new IE exploit descibed as follows:
>
> ---------------------
> http://www.secunia.com/advisories/10395/
>
> Example displaying only "http://www.trusted_site.com" in the address bar
> when the real domain is "malicious_site.com":
> http://www.trusted_site.com%01@malicious_site.com/malicious.html
> --------------------
>
> I'm trying to use an acl to prevent access to such urls. I tried this:
>
> acl ieflaw url_regex %01@
>
> and
>
> http_access deny ieflaw
>
> but this doesn't seem to do anything at all
This is a bit of a guess, but you might need to escape one or two of those
characters?
acl ieflaw url_regex \%01\@
should be safe.
Also, from a discussion on another mailing list, I believe the exploit is
still effective:
a) with one or more characters between the %01 and the @ (I don't know if
there's an upper limit to how many can be instered)
b) with certain other non-printable characters in place of the %01
Antony.
--
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the
list;
please don't CC
me.
Received on Thu Dec 11 2003 - 09:18:11 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:10 MST