[ot] Re: [thelist] IP obfuscation
Chris Marsh
chris at webbtech.co.uk
Fri Feb 7 08:33:15 CST 2003
[..]
> Other exploits come to mind, but are hazy... if I'm not
> mistaken there were some exploits floating around, tricking
> IE into thinking a site is in the secure zone when it wasn't
> (IE thought the site was on localhost when it was really on a
> remote host and other such stuff). That's one example of
> exploiting URIs to trick the browser (rather than the untrained user).
That's right. IE detected intranet addresses by absence of dots. Thus an
un-dotted internet address was assigned intranet security status.
Microsoft's response at the time was that it wasn't a bug, just
something that they would expect users to make themselves aware of.
Yeah, that's right. Market a product on the basis that you need two
fingers and a 27+ IQ to operate it and then make it the responsibility
of the user to figure out that you can produce an IP address with no
dots. This would be after discovering what an IP address is for many
home users...
*sigh*
[..]
Regards
Chris Marsh
More information about the thelist
mailing list