At 08:06 16-06-2008, Chip M. wrote:
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
[snip]
Other than borked mailing lists, can anyone recall seeing either of
those patterns in a legitimate emailed URL?
Yes, this one if it's a legitimate email. :-)
Given the way URLs are parsed, if the URL is preceded by "http://",
it's less likely to hit legitimate emails. Such paths are commonly
seen in messages about XSS. If the score is not too high, you can be
offset it with other rules.
Regards,
-sm