lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 23 Aug 2005 21:43:52 -0400
From: "Sacha Faust" <sfaust@...dynamics.com>
To: "3APA3A" <3APA3A@...URITY.NNOV.RU>,
	<inge_eivind.henriksen@...llo.no>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Remote IIS 5.x and IIS 6.0 Server Name Spoof


 That's correct. Back in 2000-2001 I reported to Microsoft that they were using SERVER_NAME variable in some of their sample application which made some site even more vulnerable. Any server variable should be considered untrusted and validated like any other user input. This is the reason why our SecureObject product as been detecting server variable usage and protecting them automatically.

For more information visit http://www.spidynamics.com/products/devinspectso2003/index.html

Sacha Faust
Manager - SPILabs
S.P.I. Dynamics, Inc.
sfaust@...dynamics.com
www.spidynamics.com
Secure. Protect. Inspect. 

-----Original Message-----
From: 3APA3A [mailto:3APA3A@...URITY.NNOV.RU] 
Sent: August 23, 2005 6:19 AM
To: inge_eivind.henriksen@...llo.no
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof

Dear inge_eivind.henriksen@...llo.no,

The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME is  untrusted  data  from  Host: request header or from proxy-style HTTP request  (like in case of your example). SERVER_NAME is ALWAYS untrusted data.  The  bug  here  is  in  the way SERVER_NAME is used in error page genaration.  So,  you article should be called something like "Microsoft
IIS   error   page  access  validation  weakness".  If  any  script  use
SERVER_NAME in this way, this is vulnerability of the script itself.

--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq@...urityfocus.com:



ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0


--
~/ZARAZA
Но Гарри... я безусловно отдаю предпочтение ему, за высокую питательность и какое-то особенно нежное мясо. (Твен)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ