Full Disclosure mailing list archives
RE: COELACANTH: Phreak Phishing Expedition]
From: "Drew Copley" <dcopley () eEye com>
Date: Fri, 11 Jun 2004 10:45:39 -0700
-----Original Message----- From: Thor Larholm [mailto:thor () pivx com] Sent: Thursday, June 10, 2004 6:10 PM To: Drew Copley; full-disclosure () lists netsys com; bugtraq () securityfocus com Cc: ntbugtraq () listserv ntbugtraq com Subject: RE: COELACANTH: Phreak Phishing Expedition] You can't replicate this with most other servers because the Host header is set to a non-existant site on most servers. Whenever IIS or Apache receives a request it will first locate the proper site based on the IP adress being used, after which it will lookup based on the Host header. In the case of e-gold, they have simply not specified a Host header for the IIS website that they configured. You can send a HTTP request to e-gold.com with "Host: foobar" and their site still comes up, even though you should only get their site with a header such as "Host: e-gold.com" or "Host: www.e-gold.com". HTTP 1.1 requires the use of a Host header and it is bad practice to accept HTTP requests without a Host header that corresponds to a locally configured site.
<snip> I use no host header and munged ones all the time, using custom clients and servers for testing. No one has a problem with this, not Apache, nor IIS, anyway. (I won't get on the subject of RFC compliancy except to say it is something quite often ignored...) I believe the bitlance solution this morning is correct. It is a magic dns issue. "whatevercraphere.com.yourmagicdnssite.com" being allowed is the problem. Very amusing situation in an academic kind of way... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: COELACANTH: Phreak Phishing Expedition] Thor Larholm (Jun 10)
- RE: COELACANTH: Phreak Phishing Expedition] Jelmer (Jun 11)
- RE: COELACANTH: Phreak Phishing Expedition] Benjamin Franz (Jun 11)
- <Possible follow-ups>
- RE: COELACANTH: Phreak Phishing Expedition] Drew Copley (Jun 11)
- RE: COELACANTH: Phreak Phishing Expedition] Drew Copley (Jun 21)
- RE: COELACANTH: Phreak Phishing Expedition] Jelmer (Jun 23)