lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jul 2003 17:01:06 -0400 (Est (heure d'été)) From: Joshua Slive <joshua@...ve.ca> To: docs@...pd.apache.org Cc: Michael Shigorin <mike@...n.org.ua>, "Greg A. Woods" <woods@...rd.com>, bugtraq@...urityfocus.com Subject: Re: Apache 1.3.27 mod_proxy security issue On Tue, 29 Jul 2003, William A. Rowe, Jr. wrote: > At 12:31 PM 7/23/2003, Greg A. Woods wrote: > > >I don't know how clients are matched against domains in ACL statements > >such as the above in Apache, but I will note that it is NEVER safe to > >rely on the Reverse DNS alone to implement ACLs that affect the ability > >of a random remote client system. > > On this point, too, it would be valuable to provide an example subnet as > a preferable alternative to reverse DNS queries. That change has not been > made yet - but is referred to our documentation project. Apache does double-reverse lookups to assure that nothing too funky is going on, so using dns names is relatively safe. It is still better to use an IP subnet for performance reasons, but the hostname may be easier to understand as an example. Joshua.
Powered by blists - more mailing lists