I read an article in EWeek that explained how to create a misleading web link or link in email by typing the acceptable http address, followed by "%01%00@" and the actual destination address. I showed it to my boss, who didn't like what she saw.
Is it possible to create an ACL in Squid that specifically stomps out misdirected URLs? I don't know if Squid must accept literal characters when sniffing out URLs for ACLs, since the %01 and %00 are hex representations. Anyone have an idea about this? If so, it'd be a boon to add another ACL that stops this simple exploit at the proxy. According to the W3 consortium, the @ symbol is a reserved character, so it's probably not wise to block for it exclusively. Thanks! Eric
