On Thu, Jul 10, 2008 at 02:13:58AM +0200, Yang Tse wrote:
> 2008/7/9, Dan Fandrich wrote:
>
> > One thought that came to me about the URL proposal is whether
> > it presents a security risk. Embedding the scope into the URL
> > means that a malicious site could redirect a URL to a specific
> > local network interface, bypassing the routing tables on a machine.
>
> Maybe that's the reason for the behaviour that MS documents on the
> already posted link...
>
> "
> For all sockets operations, WinINet uses the scope ID. However,
> because the scope ID has only local host significance, it is not sent
> as part of the HTTP protocol headers in the request. For example, the
> call to InternetOpenUrl is called with the following URL in the
> lpszUrl parameter.
>
> http://[fec0::2%251]:80/path.htm
>
> The scope ID portion of the URL is removed by WinINet when the HTTP
> request is sent for this URL. The request contains the following
> headers:
>
> GET path.htm HTTP/1.1
> Host: [fec0::2]
> "

That's not quite the scenario I was thinking about. A malicious server
could redirect a browser to a device on an interface that data would not
normally be sent on just through a normal 302 redirect, e.g.

HTTP/1.1 301 Moved Permanently
Location: http://[fe80::1234%251]/operation.cgi?request=reboot

which would cause a browser request like:

GET /operation?request=reboot HTTP/1.1
Host: [fe80::1234]

Sure, the scope ID is stripped off, but that doesn't really matter since
it has already contacted the forbidden server on the local LAN. Again, I'm
not convinced this is much worse than the equivalent IPv4 case.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved