RE: Remote IIS 5.x and IIS 6.0 Server Name Spoof

["Sacha Faust" <sfaust () spidynamics com>]

 That's correct. Back in 2000-2001 I reported to Microsoft that they were using SERVER_NAME variable in some of their 
sample application which made some site even more vulnerable. Any server variable should be considered untrusted and 
validated like any other user input. This is the reason why our SecureObject product as been detecting server variable 
usage and protecting them automatically.

For more information visit http://www.spidynamics.com/products/devinspectso2003/index.html

Sacha Faust
Manager - SPILabs
S.P.I. Dynamics, Inc.
sfaust () spidynamics com
www.spidynamics.com
Secure. Protect. Inspect. 

-----Original Message-----
From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
Sent: August 23, 2005 6:19 AM
To: inge_eivind.henriksen () chello no
Cc: bugtraq () securityfocus com
Subject: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof

Dear inge_eivind.henriksen () chello no,

The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME is  untrusted  data  from  Host: request 
header or from proxy-style HTTP request  (like in case of your example). SERVER_NAME is ALWAYS untrusted data.  The  
bug  here  is  in  the way SERVER_NAME is used in error page genaration.  So,  you article should be called something 
like "Microsoft
IIS   error   page  access  validation  weakness".  If  any  script  use
SERVER_NAME in this way, this is vulnerability of the script itself.

--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq () securityfocus com:



ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0


--
~/ZARAZA
Но Гарри... я безусловно отдаю предпочтение ему, за высокую питательность и какое-то особенно нежное мясо. (Твен)