[ot] Re: [thelist] IP obfuscation

Chris Marsh chris at webbtech.co.uk
Fri Feb 7 08:33:15 CST 2003


[..]

> Other exploits come to mind, but are hazy... if I'm not
> mistaken there were some exploits floating around, tricking
> IE into thinking a site is in the secure zone when it wasn't
> (IE thought the site was on localhost when it was really on a
> remote host and other such stuff). That's one example of
> exploiting URIs to trick the browser (rather than the untrained user).

That's right. IE detected intranet addresses by absence of dots. Thus an
un-dotted internet address was assigned intranet security status.
Microsoft's response at the time was that it wasn't a bug, just
something that they would expect users to make themselves aware of.
Yeah, that's right. Market a product on the basis that you need two
fingers and a 27+ IQ to operate it and then make it the responsibility
of the user to figure out that you can produce an IP address with no
dots. This would be after discovering what an IP address is for many
home users...

*sigh*

[..]

Regards

Chris Marsh





More information about the thelist mailing list