It didn't work here. It seems the cache only receives de 2nd part of the
address (as it seems access.log).
Realy hope M$ patches it quickly.
Regards,
J.T.
Jo�o Tiago T. F. Silveira
Baterias AJAX Ltda.
Departamento de Inform�tica
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
http://www.ajax.com.br <http://www.ajax.com.br/>
-----Mensagem original-----
De: Antony Stone [mailto:[EMAIL PROTECTED]
Enviada em: quinta-feira, 11 de dezembro de 2003 13:29
Para: [EMAIL PROTECTED]
Assunto: Re: [squid-users] filtering new IE exploit
On Thursday 11 December 2003 3:07 pm, DB wrote:
> I saw a new IE exploit descibed as follows:
>
> ---------------------
> http://www.secunia.com/advisories/10395/
>
> Example displaying only "http://www.trusted_site.com"; in the address bar
> when the real domain is "malicious_site.com":
> http://[EMAIL PROTECTED]/malicious.html
> --------------------
>
> I'm trying to use an acl to prevent access to such urls. I tried this:
>
> acl ieflaw url_regex %01@
>
> and
>
> http_access deny ieflaw
>
> but this doesn't seem to do anything at all
This is a bit of a guess, but you might need to escape one or two of those
characters?
acl ieflaw url_regex \%01\@
should be safe.
Also, from a discussion on another mailing list, I believe the exploit is
still effective:
a) with one or more characters between the %01 and the @ (I don't know if
there's an upper limit to how many can be instered)
b) with certain other non-printable characters in place of the %01
Antony.
--
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the
list;
please don't CC
me.
