I read an article in EWeek that explained how to create a misleading web
link or link in email by typing the acceptable http address, followed by
"%01%00@" and the actual destination address. I showed it to my boss,
who didn't like what she saw.
Is it possible to create an ACL in Squid that specifically stomps out
misdirected URLs? I don't know if Squid must accept literal characters
when sniffing out URLs for ACLs, since the %01 and %00 are hex
representations. Anyone have an idea about this? If so, it'd be a boon
to add another ACL that stops this simple exploit at the proxy.
According to the W3 consortium, the @ symbol is a reserved character, so
it's probably not wise to block for it exclusively.
Thanks!
Eric
Received on Thu Dec 18 2003 - 13:39:54 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:17 MST