Malicious URL ? https://[::]/
Roger Marquis
marquis at roble.com
Wed Jan 24 20:02:56 UTC 2018
Dag-Erling Sm?rgrav wrote:
> Hang on a sec ? localhost should be [::1], not [::], which is the
> equivalent of 0.0.0.0. My guess is a software bug. Jails look a little
> weird from the inside unless you use a fully virtualized network stack.
> The proxy probably doesn't have sufficient error checking around
> getpeername() or something like that.
Another intermediate URL-checker reports that the plugin in question
(CanvasBlocker) is requesting https://[::]/ directly. If a bug this is
the first I've seen of it's kind. If not the question is what threat
profile [::]:443 might expose. (Other than the obvious jail vector
which really should be fixed. FreeBSD Foundation where are you?)
Karl's reference to RFC 4291 indicates it is a protocol violation as
well.
The symptom has been reported to Mozilla.
Roger
More information about the freebsd-security
mailing list