Threaded Mode | Linear Mode

JarC · Jul. 21, 2009, 01:34 PM

Hi All,

recently upgraded from IE6 -> IE8

URL commands stopped working

local.ptron still works, Proxo still accessible and functioning. Just URL commands don't work...(DNS error)

Any thoughts?

***sidki3003*** · Jul. 21, 2009, 06:06 PM

Hi again

Same cause that broke Proxomitron aliases (DOT security introduced with IE7 three years ago).

JarC · (This post was last modified: Jul. 28, 2009 04:59 PM by JarC.)

Ok, I give, been trying like mad to find any reference to what changed but can't seem to hit the "magic word" . If this is some kind of security measure from M$ than there must be some reference articles to be found?

Using character substition for the moment to get around this...

***JJoe*** · Jul. 28, 2009, 07:52 PM

(Jul. 28, 2009 04:55 PM)JarC Wrote: Ok, I give, been trying like mad to find any reference to what changed but can't seem to hit the "magic word" . If this is some kind of security measure from M$ than there must be some reference articles to be found?

http://tech.groups.yahoo.com/group/prox-...sage/23340

http://blogs.msdn.com/ie/archive/2005/08/15/452006.aspx

Quote:Internet Explorer 7 includes a new URL handling architecture known internally as CURI. The new optimized URI functions provide more secure and consistent parsing of URIs to reduce attack surface and mitigate the threat of malicious URIs.

http://www.microsoft.com/presspass/downl.../IE7RG.doc

Quote:URL Handling Protections

Historically, attackers have taken advantage of internal code design issues within the Web browser to attack a system. A hacker would rely on a user clicking on an HTML link referencing some type of malformed URL that contains odd or excessive characters. In the process of parsing the URL, the system’s buffer would overflow and execute some code the hacker wanted to install. Given the size of Web browser application code, the most efficient solution to fixing these types of attacks was to issue updates as each was discovered and the root cause identified. Yet even with only a handful of such updates required, the more optimal solution was to rewrite the baseline application code. Internet Explorer 7 benefits from these experiences and the analysis of attack signatures. Rewriting certain sections of the code has drastically reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures higher reliability while providing greater features and flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.

bugmenot · (This post was last modified: Jul. 29, 2010 09:51 AM by bugmenot.)

Are you telling me this has been going on for years and not even one user tried to solve it in Internet Exploer 8?

Then again, it's just ".." that doesn't work. "//" still works. You get a yellow warning bar, but it works.

***ProxRocks*** · Jul. 29, 2010, 10:05 AM

there is nothing to "fix"...
we've all switched to appending our URL command to the END of the url instead of at the beginning...

where have you been? the url command at the END has been working for YEARS!...

bugmenot · Jul. 29, 2010, 06:25 PM

I've only just moved to IE8 and assumed it will work with Proxomitron by now. How do you append at the end?

***ProxRocks*** · Jul. 29, 2010, 07:26 PM

not sure how old your config is, but most of the newer configs already have the at-end-appends done "for you"...

ie, "antique" configs put proxo commands at the front in order to "debug", a NEWER debug URL looks like this - http://www.google.com/?prx-command=dbug..
ie, the command is appended to the end of the URL...

bugmenot · Aug. 05, 2010, 10:15 AM

How does the ?prx-command=dbug.. command work? How can configs - as good as they are - change the programming of the close source Proxomitron?

***ProxRocks*** · Aug. 05, 2010, 11:52 AM

the only real way to "explain" it is for you to "SEE" it in action...

have you tried any 'newer' config sets? if you haven't seen these new "URL commands", my guess is a 'resounding no'...

the shear power of Proxo is NOT within its "source", it's within the CONFIG that gets loaded, "config evolution" has increased the power of Proxo *TWENTY-FOLD* over and above the "config" that 'comes with' Proxo...

**whenever** · Aug. 05, 2010, 03:26 PM

(Aug. 05, 2010 10:15 AM)bugmenot Wrote: How does the ?prx-command=dbug.. command work? How can configs - as good as they are - change the programming of the close source Proxomitron?

Browsers see ?prx-command=dbug.. while Proxomitron still see debug..

There is a filter to do the translation

There is no change to Proxomitron itself

bugmenot · (This post was last modified: Oct. 13, 2010 12:37 PM by bugmenot.)

(Jul. 29, 2010 09:38 AM)bugmenot Wrote: "//" still works. You get a yellow warning bar, but it works.

Turns out it only works in static pages. Dynamic pages get messed up because they think it's really part of the URL. Sad

(Aug. 05, 2010 03:26 PM)whenever Wrote: Browsers see ?prx-command=dbug.. while Proxomitron still see debug..

There is a filter to do the translation

Actually, it's two header filters. Those two were the answer I needed:

! : Redir: Delayed - Prox Query Strings I 7.12.01 [sd] (d.r) (Out)
! : Redir: Final Redirect 5.03.02 [sd] (d.r) (Out)

They use Proxo's $RDIR matching command to redirect into the official URL commands. The redirection works because it turns out the transparency of the almost decade old $RDIR command beats Microsoft's latest defenses! Thumbs Up