Obfuscating with % - a new cache hack

From: Dave J Woolley <DJW@dont-contact.us>
Date: Wed, 14 Jul 1999 17:00:06 +0100

I'm not sure if squid is vulnerable to this, but the latest batch of spam
at the weekend advertised web sites with URL encoded, single number
domain names. I couldn't believe any browser is resolving these, so it
seems likely that they have discovered at least one proxy which does,
although they could be more stupid than I think.

Basically, they are taking the single number form of the IP address,
and coding some of the digits with URL encoding, so that the, well known,
dodgy site http://localhost.yourdomain.com/ might become:

http://%342%3781%390%30%381/

Further investigation shows that it is actually IE4 that resolves them and
squid reports an invalid URL format. (IE ends up trying www.4278190081.com
on this one.)
Received on Wed Jul 14 1999 - 09:50:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:23 MST