The Un-Official Proxomitron Forum
A Browser Exploit That Doesn't Affect IE - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: General Security (/forumdisplay.php?fid=21)
+--- Thread: A Browser Exploit That Doesn't Affect IE (/showthread.php?tid=396)

- besafe - Feb. 08, 2005 07:53 PM

http://www.neowin.net/comments.php?id=26989&category=main

I think this type of thing is going to happen more often with popularity of alternate browers growing.

- Kye-U - Feb. 09, 2005 05:33 AM

A fix posted on MozillaZine.org for Firefox:

KevinMillican Wrote:A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/morei...s=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

My two Proxomitron filters:

Code:
[Patterns]
Name = "IDN "xn--" URL Remover [Kye-U]"
Active = TRUE
URL = "(*.|)xn--"
Limit = 1
Match = "?"
Replace = "\k"
"<b><font face="sans-serif" color="Red" size="6">Connection Killed - Proxomitron</font>"
"<br><br><font face="sans-serif" color="Red" size="3">This is an <b>IDN Spoofed</b> Site!"
"<br><br>Real URL: \u</font></b>"

Name = "Spoofed Address Exploit [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "($NEST(<(([a-z]+{1,*})|*=\s),</([a-z]+{1,*})>)|$NEST(<(([a-z]+{1,*})|*=\s),>))"
Limit = 1024
Match = "\0://(\1.([a-z]+{2,4})|*.*/)((?%00|(((%|&#)0[01])+{1,2})))[^/]++[@|%40]\2"
"|\0://(\1.([a-z]+{2,4})|*.*/)%2F((%20|\s)+{1,*})[^/]++.\2"
"|\0://(\1.([a-z]+{2,4})|*.*/)%(2F|01)[@|%40]\2"
"|\0://(\w.|)\w(&#*;|%[a-z0-9][a-z0-9])\w.([a-z]+{2,4})*"
"|\0://(*|)xn--*.([a-z]+{2,4})*"
"$SET(\9=Think you're on Microsoft but you're on Yahoo? This filter will prevent the threat of such a situation."
""
"http://www.securityfocus.com/bid/10517/info/"
"http://secunia.com/advisories/10395/"
"http://www.securityfocus.com/bid/10532/info/)"
Replace = "<strong>[URL Spoofing Exploit Removed]</strong>"
"$ALERT(URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"


- besafe - Feb. 09, 2005 03:31 PM

Thanks for the filters. Will come in handy when I'm not using IE. Smile!