lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Jun 2004 10:45:39 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "Thor Larholm" <thor@...x.com>, <full-disclosure@...ts.netsys.com>,
   <bugtraq@...urityfocus.com>
Cc: <ntbugtraq@...tserv.ntbugtraq.com>
Subject: RE: COELACANTH: Phreak Phishing Expedition]


 

> -----Original Message-----
> From: Thor Larholm [mailto:thor@...x.com] 
> Sent: Thursday, June 10, 2004 6:10 PM
> To: Drew Copley; full-disclosure@...ts.netsys.com; 
> bugtraq@...urityfocus.com
> Cc: ntbugtraq@...tserv.ntbugtraq.com
> Subject: RE: COELACANTH: Phreak Phishing Expedition]
> 
> You can't replicate this with most other servers because the 
> Host header
> is set to a non-existant site on most servers.
> 
> Whenever IIS or Apache receives a request it will first locate the
> proper site based on the IP adress being used, after which it will
> lookup based on the Host header. In the case of e-gold, they 
> have simply
> not specified a Host header for the IIS website that they configured.
> You can send a HTTP request to e-gold.com with "Host: foobar" 
> and their
> site still comes up, even though you should only get their site with a
> header such as "Host: e-gold.com" or "Host: www.e-gold.com".
> 
> HTTP 1.1 requires the use of a Host header and it is bad practice to
> accept HTTP requests without a Host header that corresponds 
> to a locally
> configured site.

<snip>

I use no host header and munged ones all the time, using custom
clients and servers for testing. No one has a problem with this,
not Apache, nor IIS, anyway. (I won't get on the subject of RFC
compliancy except to say it is something quite often ignored...)

I believe the bitlance solution this morning is correct. It is a magic
dns
issue. "whatevercraphere.com.yourmagicdnssite.com" being allowed
is the problem.

Very amusing situation in an academic kind of way...






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ