Firewall Wizards mailing list archives
Re: Web Site Hacks
From: "-= ArkanoiD =-" <ark () mpak convey ru>
Date: Wed, 3 Dec 97 23:38:09 +0300
nuqneH,
Date: Tue, 2 Dec 1997 21:10:19 GMT From: Edward Cracknell <edward () securIT net> To: "Firewall Wizards (Marcus J. Ranum's new moderated mail list)" <firewall-wizards () nfr net> Subject: Web Site Hacks
[dd]
Assuming the Web server is behind the firewall and only http is allowed: a) The ability to run cgi-bin scripts or html form processing in a way which will create an html page as output. (Many form-based pages take input and produce a page for output). As a result, it might be possible to create a page that contains a URL like: <A HREF=telnet://target.system.behi nd.firewall> Click here </A> This would generally allow a telnet session from the web server to the target system and the firewall rules of ONLY http allowed through would not stop this.
Hmmm from the web _server_? why? --- _ _ _ _ _ _ _ Must be a visit from the dead.. _| o |_ | | _|| | / _||_| |_ |_ |_ CU in Hell .......... Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
Current thread:
- Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
(Thread continues...)