Poor browsers, confused into thinking that this is Intranet traffic because it's dotless... <sigh> See MS KB Q306121 and MS Security Bulletin MS01-051 for details and a patch for IE. HTH Darren > -----Original Message----- > From: maillist [mailto:maillistat_private] > Sent: Wednesday, December 05, 2001 1:25 PM > To: vuln-devat_private > Subject: Re: Proxy bypass in Opera : security related ? > > Hi, > I don't know if that's a problem caused only by Opera, I found that 'bug' > surfing with IE (6.0) too. > Trying to acces diffrent web pages, some of them listed my real IP address > insted of proxy address. > (e.g. trying to make an account at www.ifriends.com). > It might be a 'bug' in Opera/IE or a 'high security' web page. > > > ----- Original Message ----- > From: "Nicolas Gregoire" <ngregoireat_private> > To: <vuln-devat_private> > Sent: Wednesday, December 05, 2001 11:22 AM > Subject: Proxy bypass in Opera : security related ? > > > > Hi, > > > > while I was trying to bypass some URL filtering software using specially > formated URLs, I found a problem > > in the Opera browser. > > > > This bug was reported to Opera via their bug notification form, but I > haven't receive any response so far. > > > > Details : > > ====== > > > > When the URL http://3638218280/ is requested, Opera will try to fetch to > page located at > > http://216.218.206.40/ (normal DWord to IP address conversion [1]) > *without* using the configured > > proxy settings. > > > > Scenario : > > ========= > > > > I haven't any really interesting scenario for this bug. > > Yes, it's possible to make a user follow a link and get a page without > using the configured proxy, but if, > > in a company, there's a proxy and a way to fetch web pages without using > the proxy, the problem is, > > in my opinion, a security policy problem .... > > > > > > Does anybody see any security implication for this bug ? > > > > > > Nicolas Grégoire [2] > > > > > > [1] : http://www.fichtner.net/tools/ip2dword/ > > [2] : Please excuse my poor english > > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 23:02:39 PST