-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brad Beyenhof wrote: > On 10/30/2007 05:28 PM, Christopher Smith wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Brad Beyenhof wrote: >>> On 10/30/2007 04:56 PM, Christopher Smith wrote: >>>> John H. Robinson, IV wrote: >>>>> http://www.decenturl.com/132.239.180.101/tubgirl >>>>> >>>>> What do you know about that one? Then click. Were you right? >>>> I know that it points to an IP address rather than a named host, which >>>> means I've got zero reason to trust it. >>> Would you trust it if you used Reverse DNS to find out that the IP >>> resolves to cw-portal.ucsd.edu? >> >> Not really, because then my next question would be how "tubgirl" ended >> up being in the title an HTTP target on UCSD's portal. The possible >> answers aren't super pleasing. The best I could hope for is a blog or >> news article on "tubgirl", and that would seem highly unlikely to be on >> the main portal for USCD. Far more likely that some student is having >> some fun at someone else's expense. > > Well, at decenturl.com you can add in your own custom title. It only > defaults to the page's <title> if you don't manually enter anything.
Ah, I missed that. Okay, so you trust the title as much as you trust the sender then, not the host. Hmmm... I wonder if that makes my rd.yahoo.com example exploitable. - --Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJ83vOagjPOywMBARAltSAJ9n9jwC/Gb+HFiWdEREr0e34LV7FwCgsQkJ a444X2269puXX574OljmVMk= =qcX4 -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
