lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1298592551.20050823141924@SECURITY.NNOV.RU>
Date: Tue, 23 Aug 2005 14:19:24 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: inge_eivind.henriksen@...llo.no
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof


Dear inge_eivind.henriksen@...llo.no,

The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME
is  untrusted  data  from  Host: request header or from proxy-style HTTP
request  (like in case of your example). SERVER_NAME is ALWAYS untrusted
data.  The  bug  here  is  in  the way SERVER_NAME is used in error page
genaration.  So,  you article should be called something like "Microsoft
IIS   error   page  access  validation  weakness".  If  any  script  use
SERVER_NAME in this way, this is vulnerability of the script itself.

--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq@...urityfocus.com:



ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0


-- 
~/ZARAZA
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ