lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Mar 16 01:37:50 2006
From: gboyce at badbelly.com (gboyce)
Subject: strange domain name in phishing email

Can you do a packet capture, and find out what the request to the server 
looks like?

Apache 2 doesn't seem to like the decimal host definition sent by most 
browsers.  Perhaps IE 7 converts the decimal IP back into octal before 
sending it to the server.

On Thu, 16 Mar 2006, Alice Bryson wrote:

> hi there:
> When I use IE 6 web browser, Apache 1.3 accept this kind of request
> but Apache 2.0 doesn't.
> When I use IE 7 web browser, Apache 2.0 also accept this kind of request.
>
>
> 2006/3/15, gboyce <gboyce@...belly.com>:
>> On Tue, 14 Mar 2006, Chris Umphress wrote:
>>
>>> On 3/14/06, gboyce <gboyce@...belly.com> wrote:
>>>> I tried this trick against my personal Apache 2 webserver, and got a 400
>>>> bad request as well.  The apache log is showing "Client sent malformed
>>>> Host header".
>>>>
>>>> It looks like Apache is getting the decimal host header, and doesn't
>>>> understand what to do with it.  Oddly, the host mentioned in the initial
>>>> e-mail is also Apache, but it's Apache 1.3.
>>>>
>>>> Is your Apache on windows server 1.x or 2.x?
>>>
>>>
>>> I'll jump in and say that mine works works this way (If you want to
>>> verify, it is http://1136002182/).
>>>
>>> I am using Apache 1.3 and have several virtual hosts set up. Since
>>> Apache returns the first virtual host if it doesn't match the names of
>>> any of the other virtual hosts. That could be the determining factor
>>> for why some work and others don't.
>>
>> I have virtual hosts setup as well, and this behavior doesn't work for me.
>>
>> I tested a few different servers, and what I've found is that Apache 1.3
>> accepts hosts defined in this manner.  Apache 2.0 fails with a 400 error.
>>
>> Greg
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> --
> Homepage:http://www.lwang.org
> We collect spam for research at:
> mailto:abryson@...efocus.com
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ