Closed Thread Icon

Topic awaiting preservation: Scary domain exploit (Page 1 of 1) Pages that link to <a href="https://ozoneasylum.com/backlink?for=24981" title="Pages that link to Topic awaiting preservation: Scary domain exploit (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Scary domain exploit <span class="small">(Page 1 of 1)</span>\

 
Nathus
Bipolar (III) Inmate

From: Minnesota
Insane since: Aug 2003

posted posted 02-10-2005 16:14

Check out this article Shmoo Group exploit: 0wn any domain, no defense exists.

Due to the way that browsers (except IE) handle International Domain Names, people can spoof domains and SSL certificates.

The article also goes over how to disable this exploit in Firefox.

Jestah
Maniac (V) Mad Scientist

From: Long Island, NY
Insane since: Jun 2000

posted posted 02-10-2005 16:36

Actually, the best fix can be found here.

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

NoJive
Maniac (V) Inmate

From: The Land of one Headlight on.
Insane since: May 2001

posted posted 02-10-2005 17:39

Jestah:

your filter there... does it include the forward slash ...front and back? I know nothing about this stuff and just got a 'warning' that I was about to install a 'regular expression' and that if I didn't know what I was doing.... get da hell outta here boy.
thx =)

WebShaman
Maniac (V) Mad Scientist

From: Happy Hunting Grounds...
Insane since: Mar 2001

posted posted 02-10-2005 19:40

Works like a charm, Jester! Thanks for the info.

hyperbole
Paranoid (IV) Inmate

From: Madison, Indiana, USA
Insane since: Aug 2000

posted posted 02-10-2005 19:42

NoJive,
His filter excludes all characters in the range 'space' to xFF. The caret (^) at the start of the expression says anything not in the range x20 to xFF. Yes slant sign and back slant and all the numbers and alphabetic characters and other normal puctuation fall in the x20-xFF, but since he said every thing but that range, it should work fine.

Jestah,
Why did you make the end of the range xFF. I think I would make the expression [^\x20-\x76]. That would cover all the printable ASCII characters. Is there a reason for including the others?





-- not necessarily stoned... just beautiful.


(Edited by hyperbole on 02-10-2005 21:22)

WebShaman
Maniac (V) Mad Scientist

From: Happy Hunting Grounds...
Insane since: Mar 2001

posted posted 02-11-2005 00:22

hyperbole, check the link that Jester gave. He didn't make the fix, he just posted it here.

viol
Maniac (V) Inmate

From: Lago Paranoá
Insane since: May 2002

posted posted 02-11-2005 00:47

Wow, that was really terrible. I am not going to trust the address bar anymore. I will look at the code!

Anyway, adblock seems to avoid the problem. That's good. Thanks all for the links.

hyperbole
Paranoid (IV) Inmate

From: Madison, Indiana, USA
Insane since: Aug 2000

posted posted 02-11-2005 18:56

WebShaman,
OK, I had looked at that site when reading this thread, but I spent long enough looking at other issues on this problem that I forgot that Jestah had probably just copied the procedure to his post.

I made a mistake in my post. The range should be \x20-\x7E not \x20-\x76.

It still seems to me that restricting the acceptable characters to the printable ASCII characters is the safest thing to do. Does anyone have any input on this?

This filter still won't stop the method used by BoingBoing on this page. The filter allows you to go to the fake paypal page with no complaints. The only way I have seen to catch the method used by BoingBoing is to visually check the source of the page before clicking the link.



.

-- not necessarily stoned... just beautiful.

viol
Maniac (V) Inmate

From: Lago Paranoá
Insane since: May 2002

posted posted 02-12-2005 00:25

Uhmmm, I applied the filter and it DOES stop Firefox from having the bug.

Jestah
Maniac (V) Mad Scientist

From: Long Island, NY
Insane since: Jun 2000

posted posted 02-12-2005 04:29

Oh no, I didn't create the filter. I hope I didn't give you that impression. I found the fix on the mozillazine website and it worked like a charm for me. I don't even have Firefox installed on this computer (Safari user) but I put it on a few friends computer and there haven't been any problems.

(Edited by Jestah on 02-12-2005 04:29)

WebShaman
Maniac (V) Mad Scientist

From: Happy Hunting Grounds...
Insane since: Mar 2001

posted posted 02-12-2005 11:48

Hyperbole, the fix stops those methods on BoingBoing as well (at least, it does in my FF). I click on the spoof links, and nothing happens.

WebShaman | Asylum D & D | D & D Min Page

Nathus
Bipolar (III) Inmate

From: Minnesota
Insane since: Aug 2003

posted posted 02-12-2005 14:11

At first it didn't work for me because I had forgotten to check site block under preferences. (Did it twice when setting this up on 2 computers),

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 02-25-2005 12:46

FireFox 1.0.1 fixes the IDN problem which, btw, comes from VeriSign's i-Nav Plug-In and not from the browsers vendors who implemented the IDN specs. You can download FireFox 1.0.1 here.

« BackwardsOnwards »

Show Forum Drop Down Menu