| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1097681832.3251.3.camel@meposs> From: dan at losangelescomputerhelp.com (Daniel H. Renner) Subject: Possibly a stupid question RPC over HTTP Daniel, Could you please point out where you read this data? I would like to see this one... -- Daniel H. Renner <dan@...angelescomputerhelp.com> Los Angeles Computerhelp On Tue, 2004-10-12 at 20:54, full-disclosure-request@...ts.netsys.com wrote: > Message: 18 > Date: Tue, 12 Oct 2004 12:41:56 -0700 > From: "Daniel Sichel" <daniels@...derosatel.com> > To: <full-disclosure@...ts.netsys.com> > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP > > This may just reflect my ignorance, but I read (and found hard to > believe) that Microsoft has implemented RPC over HTTP. Is this not a > HUGE security hole? If I understand it correctly it means that good old > HTML or XML can invoke a process using standard web traffic (port 80)? > Is there any permission checking done? what things can be invoked by RPC > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am > I right, and if so, how can I detect RPCs in web traffic to block this > junk? Can ANY stateful packet filter see this stuff or is the pattern > too broad in allowed RPCs? > > Again, I hope this is not a stupid question or inappropriate format for > this, as somebody else recently said, there is already enough noise on > this list. I would hate to see this list degenerate, it has been REALLY > valuable to me as a network engineer on occaison. > > Thanks all, > Dan Sichel > Ponderosa telephone > daniels@...derosatel.com >
Powered by blists - more mailing lists