Firewall Wizards mailing list archives
Web Site Hacks
From: Edward Cracknell <edward () securIT net>
Date: Tue, 2 Dec 1997 21:10:19 GMT
Web Site Hacks: Phillip Mau <philbo () dmc net> wrote: <SNIP> Philip raised a great thread in a direct mail to me, the essence of it was how web sites could be compromised. As a Java dunce, I'd love some input from you guys. Here's how I see it: Assuming the Web server is not read only, and is in front of the firewall: a) The usual host OS exploits can result in changes being made to the web server. ftp, telnet, smtp etc. Assuming the Web server is behind the firewall and only http is allowed: a) The ability to run cgi-bin scripts or html form processing in a way which will create an html page as output. (Many form-based pages take input and produce a page for output). As a result, it might be possible to create a page that contains a URL like: <A HREF=telnet://target.system.behi nd.firewall> Click here </A> This would generally allow a telnet session from the web server to the target system and the firewall rules of ONLY http allowed through would not stop this. b) The ability to directly upload cgi scripts or malicious code/applets is an obvious threat. Firewall should block this from the untrusted network. c) Attacks made to the DNS parent of your web site (ISP) to 'point' traffic elsewhere The mechanisms for http authentication might be secure, but take point c in my list above......how many organisations check the 'hackability' of their ISP's DNS servers? I know I've missed all the ActiveX and Java. Can we thrash these vulnerabilities out here? ----------------------------------------------------------------- Edward Cracknell - <edward () SecurIT net>
Current thread:
- Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
(Thread continues...)