Bugtraq mailing list archives
Re: XWT Foundation Advisory
From: Adam Megacz <adam () megacz com>
Date: 30 Jul 2002 10:57:55 -0700
"Thor Larholm" <thor () pivx com> writes:
I for one am in agreement on this issue, especially with regards to "Default" sites on e.g. IIS - it is very uncommon for anyone to serve content from the "Default" site (without checking the Host header) these days.
On the public Internet, you are correct. On private networks, however, exactly the opposite is true. NameVirtualHosts are only used when you need to have more than one site on a given IP. On a private network, you are not bound by ARIN's limitations -- IPs are plentiful. Because of this, most intranet sites *do* run off of the "default" Host. Also, most SOAP web services do not check the Host header.
I still quite fail to see the relevance to firewalls, as nothing is circumvented - the administrator has explicitly allowed HTTP traffic on (most often) port 80.
The administrator has assumed that only hosts on the private, internal network can access the site. With this exploit, any person anywhere on the public internet can access content on HTTP servers, or call SOAP web services on the private network. Every corporation I've ever worked for depended on this internal/external distinction for security in some way. I don't advocate this, but it's a very common practice. - a -- Sick of HTML user interfaces? www.xwt.org Some people don't care if the pie is smaller, so long as they still get all of it.
Current thread:
- RE: XWT Foundation Advisory Microsoft Security Response Center (Jul 29)
- Re: XWT Foundation Advisory Peter Watkins (Jul 30)
- <Possible follow-ups>
- RE: XWT Foundation Advisory Thor Larholm (Jul 30)
- Re: XWT Foundation Advisory Adam Megacz (Jul 30)
- RE: XWT Foundation Advisory Jason Coombs (Jul 30)