It seems that this case has the name Dotless IP Address Security Issue
and KB article #168617 http://support.microsoft.com/?kbid=168617
describes it even in IE4.
Correct if I'm wrong.
- Juha-Matti
IIRC, Microsoft changed that as one of the security updates to IE. For a
time, it was a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think this would be a client side only thing.
Netcat connected fine when I have such a name (167772398 - 10.0.0.238)
as a target.
The reason I say this is because how would apache know what to do with:
Host: 167772398
It might have been a vhost,
On Tue, 14 Mar 2006, Chris Umphress wrote:
On 3/14/06, gboyce [EMAIL PROTECTED] wrote:
I tried this trick against my personal Apache 2 webserver, and got a 400
bad request as well. The apache log is showing Client sent malformed
Host header.
It looks like Apache is getting the decimal host
hi there:
When I use IE 6 web browser, Apache 1.3 accept this kind of request
but Apache 2.0 doesn't.
When I use IE 7 web browser, Apache 2.0 also accept this kind of request.
2006/3/15, gboyce [EMAIL PROTECTED]:
On Tue, 14 Mar 2006, Chris Umphress wrote:
On 3/14/06, gboyce [EMAIL PROTECTED]
Can you do a packet capture, and find out what the request to the server
looks like?
Apache 2 doesn't seem to like the decimal host definition sent by most
browsers. Perhaps IE 7 converts the decimal IP back into octal before
sending it to the server.
On Thu, 16 Mar 2006, Alice Bryson
I tried the same address using nslookup of windows and linux. The linux nslookup and host generate an error message: ** server can't find 1406379699: NXDOMAIN. nslookup of Windows translate the number to a domain name. It seems that it works different for different operating system.
Have a good
I think you try to remove the slash at the end...
What about the logs ?
Alice Bryson a écrit :
BTW, this kind of ip address would not always work. i try to use
http://2887060730/ to access an internal web server
http://172.21.12.250, but failed.
It said 400 bad request.
I use Windows XP
]
Subject: Re: [Full-disclosure] strange domain name in phishing email
I think you try to remove the slash at the end...
What about the logs ?
Alice Bryson a écrit :
BTW, this kind of ip address would not always work. i try to use
http://2887060730/ to access an internal web server http
Octal with eights in it?? As mentioned, it works works fine with
IE6 if you remove the final /
No. it was decimal.
FWIW, here's a quickie way to convert between the 3
(hex,decimal,dottedquad) -- all of which work in URLs.
Also .. the security zone bypass trick I mentioned earlier is
hi there
It is very strange thing. I have done the following tries.
trying result
http://172.21.12.250success
http://2887060730 failed
http://2887060730/ failed
telent 2887060730 80 failed
ping 2887060730
hi there
It is very strange thing. I have done the following tries.
trying result
http://172.21.12.250success
http://2887060730 failed
http://2887060730/ failed
telent 2887060730 80 failed
ping 2887060730
On 3/14/06, gboyce [EMAIL PROTECTED] wrote:
I tried this trick against my personal Apache 2 webserver, and got a 400
bad request as well. The apache log is showing Client sent malformed
Host header.
It looks like Apache is getting the decimal host header, and doesn't
understand what to do
Yes, this is only a way of expressing an IP address.
Try the following C code, you would find out the answer.
#include stdio.h
#include sys/socket.h
#include netinet/in.h
#include arpa/inet.h
int main()
{
printf(%lu\n, htonl(inet_addr(83.211.166.179)));
return 0;
}
it prints out
BTW, this kind of ip address would not always work. i try to use
http://2887060730/ to access an internal web server
http://172.21.12.250, but failed.
It said 400 bad request.
I use Windows XP IE 6, web server is Apache on Windows 2003, does
anyone know why?
2006/3/11, Jianqiang Xin [EMAIL
hi,
I received several phishing emails. One interesting thing is the link to phishing website has the link:
http://1406379699/dbweb/ws/ebay/index.htm
If you click it, it goes to a fake ebay server. The DNS result shows:
1406379699
Server:
Address:
Name: ip-166-179.sn2.eutelia.it
Address:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
google is cool
http://www.alexcarlock.com/ip.asp
Jianqiang Xin wrote:
hi,
I received several phishing emails. One interesting thing is the
link to phishing website has the link:
http://1406379699/dbweb/ws/ebay/index.htm
If you click it, it
Jianqiang Xin wrote:
I received several phishing emails. One interesting thing is the link
to phishing website has the link:
http://1406379699/dbweb/ws/ebay/index.htm
This is a very old technique. Most people think that dotted-quad
decimal is the only way to express an IP address but they
Could it be a 301 permanent redirect?
Regards,
Nancy Kramer
Webmaster http://www.americandreamcars.com
Free Color Picture Ads for Collector Cars
One of the Ten Best Places To Buy or Sell a Collector Car on the Web
At 04:57 AM 3/11/2006, Jianqiang Xin wrote:
hi,
I received several phishing
18 matches
Mail list logo
