| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mducharme at cybergeneration.com (Maxime Ducharme) Subject: Possibly a stupid question RPC over HTTP Hi Daniel & Daniel I agree this can lead to security holes. There are ways to make it "more secure" (if you can call it secure), here are some links about this subject : (sorry for wrapped urls) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx http://www.scripting.com/98/04/stories/bobAtkinsonOnHttpPost.html http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/40018/MicrosoftExchangeOutlook_40018.html http://www.sanx.org/tipShow.asp?articleRef=117 http://www.kb.cert.org/vuls/id/698564 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807 http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci963557,00.html Have a nice day Maxime Ducharme Programmeur / Sp?cialiste en s?curit? r?seau ----- Original Message ----- From: "Daniel H. Renner" <dan@...angelescomputerhelp.com> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, October 13, 2004 11:37 AM Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP > Daniel, > > Could you please point out where you read this data? I would like to > see this one... > -- > Daniel H. Renner <dan@...angelescomputerhelp.com> > Los Angeles Computerhelp > > > On Tue, 2004-10-12 at 20:54, full-disclosure-request@...ts.netsys.com > wrote: > > Message: 18 > > Date: Tue, 12 Oct 2004 12:41:56 -0700 > > From: "Daniel Sichel" <daniels@...derosatel.com> > > To: <full-disclosure@...ts.netsys.com> > > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP > > > > This may just reflect my ignorance, but I read (and found hard to > > believe) that Microsoft has implemented RPC over HTTP. Is this not a > > HUGE security hole? If I understand it correctly it means that good old > > HTML or XML can invoke a process using standard web traffic (port 80)? > > Is there any permission checking done? what things can be invoked by RPC > > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am > > I right, and if so, how can I detect RPCs in web traffic to block this > > junk? Can ANY stateful packet filter see this stuff or is the pattern > > too broad in allowed RPCs? > > > > Again, I hope this is not a stupid question or inappropriate format for > > this, as somebody else recently said, there is already enough noise on > > this list. I would hate to see this list degenerate, it has been REALLY > > valuable to me as a network engineer on occaison. > > > > Thanks all, > > Dan Sichel > > Ponderosa telephone > > daniels@...derosatel.com > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists