Re: XWT Foundation Advisory

[Adam Megacz <adam () megacz com>]

"Thor Larholm" <thor () pivx com> writes:
> I for one am in agreement on this issue, especially with regards to
> "Default" sites on e.g. IIS - it is very uncommon for anyone to
> serve content from the "Default" site (without checking the Host
> header) these days.

On the public Internet, you are correct. On private networks, however,
exactly the opposite is true. NameVirtualHosts are only used when you
need to have more than one site on a given IP. On a private network,
you are not bound by ARIN's limitations -- IPs are plentiful. Because
of this, most intranet sites *do* run off of the "default" Host.

Also, most SOAP web services do not check the Host header.


> I still quite fail to see the relevance to firewalls, as nothing is
> circumvented - the administrator has explicitly allowed HTTP traffic
> on (most often) port 80.

The administrator has assumed that only hosts on the private, internal
network can access the site. With this exploit, any person anywhere on
the public internet can access content on HTTP servers, or call SOAP
web services on the private network.

Every corporation I've ever worked for depended on this
internal/external distinction for security in some way. I don't
advocate this, but it's a very common practice.

  - a


-- 
Sick of HTML user interfaces?
www.xwt.org

Some people don't care if the pie is smaller, so long as they still
get all of it.