On 2011/11/28 17:49, C. Bensend wrote:
I guess I'm confused why you think this is a vulnerability... It's
simply another way to represent an IP address that browsers grok.
Is it obfuscation? Sure. But hell, for the average internet user,
a NON-obfuscated IP address is cryptic enough. ;) This is just
another way to do it...
Might I suggest reading the specification for URLs. I believe that
only DNS addresses and decimal dotted quads are "legal". The other
misrepresentations are not permitted so responding to them is a bug
for a browser or other URL based tool. If I'm wrong I'd like to know
with the appropriate URL RFC cited.
{^_^}
I didn't say legal. :) Browsers have a long and rich history of
bending/breaking the "rules" in order to make the browsing experience
faster/better/insert-buzzword-here.
HTML content (web pages, rich email, blah blah blah) is horrifying
nowadays. Standards? Nope, standards get in the way. I wouldn't
be surprised if a vast majority of the HTML clients out there (web
browsers, email clients, etc) exhibit this behavior.
There's a difference between "vulnerability" and "it works anyway".
Honest question - do you believe this is a *vulnerability*, or are
you just irritated because it's happening? :)
Not intending to come across as snarky... I just don't think this
is a bug or vulnerability, but probably considered a "feature".
It is a way of obfuscating that's over the top and nobody has a way to
get those oddball formulations easily from standard tools. They become
an excellent way of leading people to strange addresses with strings
that include ?ASFDikmedsfok3l1masdh sort of text following the index.html.
If it was only one browser that responded to the oddball addresses at this
time then it would be a way to target that browser with a zero day
vulnerability it has for installing malware.
Since it seems (I register astonishment here) that all browsers respond
to this. So that targeted malware idea does not fit anymore. It is
possibly something that facilitates hiding bad addresses from spam
filters and currently buys nothing for the browsing experience. That
means it's a small amount of code bloat for those upset by that concept.
(Enh - what me worry? 24 gigabytes is hard to fill without MUCH larger
examples of bloat. {^_-})
Basically, all I was looking for is who might respond to that sort of
an address to see if it was indeed one specific browser. That would
raise concerns that having all browsers respond doesn't.
What's amusing is how few answered the actual question and how many
presumed I could barely tie my shoe-laces. {^_-}
{^_^}
