Firewall Wizards mailing list archives
RE: Web Site Hacks
From: Denis Gordon <denis () dcc govt nz>
Date: Thu, 4 Dec 1997 09:18:00 +1300
Edward Cracknell <edward () securIT net> said:
Web Site Hacks: Phillip Mau <philbo () dmc net> wrote:
[[ snip ]]
Assuming the Web server is behind the firewall and only http is
allowed:
a) The ability to run cgi-bin scripts or html form processing in a way which will create an html page as output. (Many form-based pages take input and produce a page for output). As a result, it might be
possible
to create a page that contains a URL like: <A HREF=telnet://target.system.behi nd.firewall> Click here </A> This would generally allow a telnet session from the web server to the target system and the firewall rules of ONLY http allowed through
would
not stop this.
But the 'page' this cgi script produces would be sent back to the browser. To be activated, the user at the browser has to click it. So any connection to 'target.system.behind.firewall' would be from the browser, not from the firewall. Or have I missed something fundamental here? Denis Gordon - <denis () dcc govt nz>
Current thread:
- Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
- Re: Web Site Hacks Paul McNabb (Dec 09)
- Re: Web Site Hacks shimons (Dec 11)
(Thread continues...)