Chip M. wrote:
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my code to
auto-adjust for relative paths, so I can continue testing the
subsite against Uribl's great subsite list.
The expedient part of my brain is thinking that either a ".." or a
"/./" in a URL are most shiny signs of spam (or major mailing list
stupidity), so I'm going to start with those as simple rules.
Other than borked mailing lists, can anyone recall seeing either of
those patterns in a legitimate emailed URL?
"/." is a unix construct, so except for filenames like ".foo", I see no
use for that over the web (the web is not unix). so
\/\.\W
doesn't look to be needed for legitimate URLs. same goes for equivalent
encodings.
and since such URLs are used to evade detection by proxies and access
control implementations, I'd say get this out (old tomcat and
tomcat+apache used to have a vulnerability that allowed access to tomcat
admin using such URLs).
