[squid-users] False Web addresses, and how to handle them

From: Eric Geater 12/12/03 <egeater@dont-contact.us>
Date: Thu, 18 Dec 2003 14:33:12 -0600

I read an article in EWeek that explained how to create a misleading web
link or link in email by typing the acceptable http address, followed by
"%01%00@" and the actual destination address. I showed it to my boss,
who didn't like what she saw.

Is it possible to create an ACL in Squid that specifically stomps out
misdirected URLs? I don't know if Squid must accept literal characters
when sniffing out URLs for ACLs, since the %01 and %00 are hex
representations. Anyone have an idea about this? If so, it'd be a boon
to add another ACL that stops this simple exploit at the proxy.

According to the W3 consortium, the @ symbol is a reserved character, so
it's probably not wise to block for it exclusively.

Thanks!

Eric
Received on Thu Dec 18 2003 - 13:39:54 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:17 MST