OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Darren W. MacDonald (darrydoosympatico.ca)
Date: Wed Dec 05 2001 - 21:38:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Poor browsers, confused into thinking that this is Intranet traffic
    because it's dotless... <sigh>

    See MS KB Q306121 and MS Security Bulletin MS01-051 for details and a
    patch for IE.

    HTH
    Darren

    > -----Original Message-----
    > From: maillist [mailto:maillistgo.ro]
    > Sent: Wednesday, December 05, 2001 1:25 PM
    > To: vuln-devsecurityfocus.com
    > Subject: Re: Proxy bypass in Opera : security related ?
    >
    > Hi,
    > I don't know if that's a problem caused only by Opera, I found that
    'bug'
    > surfing with IE (6.0) too.
    > Trying to acces diffrent web pages, some of them listed my real IP
    address
    > insted of proxy address.
    > (e.g. trying to make an account at www.ifriends.com).
    > It might be a 'bug' in Opera/IE or a 'high security' web page.
    >
    >
    > ----- Original Message -----
    > From: "Nicolas Gregoire" <ngregoireexaprobe.com>
    > To: <vuln-devsecurityfocus.com>
    > Sent: Wednesday, December 05, 2001 11:22 AM
    > Subject: Proxy bypass in Opera : security related ?
    >
    >
    > > Hi,
    > >
    > > while I was trying to bypass some URL filtering software using
    specially
    > formated URLs, I found a problem
    > > in the Opera browser.
    > >
    > > This bug was reported to Opera via their bug notification form, but
    I
    > haven't receive any response so far.
    > >
    > > Details :
    > > ======
    > >
    > > When the URL http://3638218280/ is requested, Opera will try to
    fetch to
    > page located at
    > > http://216.218.206.40/ (normal DWord to IP address conversion [1])
    > *without* using the configured
    > > proxy settings.
    > >
    > > Scenario :
    > > =========
    > >
    > > I haven't any really interesting scenario for this bug.
    > > Yes, it's possible to make a user follow a link and get a page
    without
    > using the configured proxy, but if,
    > > in a company, there's a proxy and a way to fetch web pages without
    using
    > the proxy, the problem is,
    > > in my opinion, a security policy problem ....
    > >
    > >
    > > Does anybody see any security implication for this bug ?
    > >
    > >
    > > Nicolas Grégoire [2]
    > >
    > >
    > > [1] : http://www.fichtner.net/tools/ip2dword/
    > > [2] : Please excuse my poor english
    > >
    > >
    > >
    > >
    > >
    > >