Mar. 05, 2005, 01:51 PM
The discussion about this spoofing vulnerability and possible solutions with Proxomitron started at Y!G prox-list. I'm cross-posting here. See Secunia News or The Shmoo Group for testcase and explanation. Only Gecko browsers and Opera are affected, Internet Explorer doesn't have a Punycode handler.
Mozilla.org released a Firefox update that - among other things - always displays the real Punycode URL by default -- See here.
In my opinion this is the best way to handle that issue, since it doesn't involve any page modifications (or blocks, Punycode URLs are widely used in East-Asia and usually perfectly legit) on the part of Prox. While you can "emulate" that new Firefox behavior with a filter for older Gecko browsers, Opera refuses to explicitely display *any* URL starting with "xn--" (try e.g. xn--foobar.com).
Consequently, you'd need to mask that "xn--" in some way:
Notes:
Because the browser is seeing a different domain ("xn__" instead of "xn--") now, you may need to bypass the filters if you want to accept cookies from an "xn--" site.
Any URL command applied to the URL before the $JUMP isn't in effect afterwards.
The $JUMP needs to wait for an initial response to avoid being executed for HTTPS URLs, if "Use SSLeay..." is deactivated in the Prox settings.
The stand-alone version can't check if the current user-agent really needs that procedure.
The version for my set is here.
sidki
Mozilla.org released a Firefox update that - among other things - always displays the real Punycode URL by default -- See here.
In my opinion this is the best way to handle that issue, since it doesn't involve any page modifications (or blocks, Punycode URLs are widely used in East-Asia and usually perfectly legit) on the part of Prox. While you can "emulate" that new Firefox behavior with a filter for older Gecko browsers, Opera refuses to explicitely display *any* URL starting with "xn--" (try e.g. xn--foobar.com).
Consequently, you'd need to mask that "xn--" in some way:
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "! : Redir: IDN Exploit - Show real URL I [sd] (In)"
URL = "([^/]++.|)\2xn--\3&$URL(\1://)$JUMP(\1://\2xn__\3)"
In = FALSE
Out = TRUE
Key = "! : Redir: IDN Exploit - Show real URL II [sd] (Out)"
URL = "([^/]++.|)\2xn__\3&$URL(\1://)$RDIR(\1://\2xn--\3)$LOG(RGET $DTM(c) : IDN Address re-requested)"
Notes:
Because the browser is seeing a different domain ("xn__" instead of "xn--") now, you may need to bypass the filters if you want to accept cookies from an "xn--" site.
Any URL command applied to the URL before the $JUMP isn't in effect afterwards.
The $JUMP needs to wait for an initial response to avoid being executed for HTTPS URLs, if "Use SSLeay..." is deactivated in the Prox settings.
The stand-alone version can't check if the current user-agent really needs that procedure.
The version for my set is here.
sidki