On Mon, 16 Jun 2008, mouss wrote:
Chip M. wrote:Just noticed a new (to me) Geocities obfuscation technique that uses embedded relative path(s): http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba That breaks my own subsite extraction code. :("/." is a unix construct, so except for filenames like ".foo", I see no use for that over the web (the web is not unix). so\/\.\Wdoesn't look to be needed for legitimate URLs. same goes for equivalent encodings.
I've seen multiple leading periods in phish messages. My local rule for this is equivalent to \/\.{1,4}\W
and since such URLs are used to evade detection by proxies and access control implementations, I'd say get this out (old tomcat and tomcat+apache used to have a vulnerability that allowed access to tomcat admin using such URLs).
They're also used to hide fraudulent website content from the administrators of compromised hosts. Ideally their presence should generate an alert to the abuse address of the host that appears in the URL. Implementation of this is left as an exercise for the student.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) ----------------------------------------------------------------------- 2 days until SWMBO's Birthday
