Firewall Wizards mailing list archives
Re: Web Site Hacks
From: Michael Kyle <mikek () lanl gov>
Date: Thu, 04 Dec 1997 08:13:59 -0700
Edward Cracknell wrote:
a) The ability to run cgi-bin scripts or html form processing in a way which will create an html page as output. (Many form-based pages take input and produce a page for output). As a result, it might be possible to create a page that contains a URL like: <A HREF=telnet://target.system.behi nd.firewall> Click here </A> This would generally allow a telnet session from the web server to the target system and the firewall rules of ONLY http allowed through would not stop this.
The telnet still occurs on port 23 from the client that clicks on the link, not from the webserver.
c) Attacks made to the DNS parent of your web site (ISP) to 'point' traffic elsewhere
trust and security are vital ... I'd control all of my name servers if I were you. -- ----------------------------------------------------------------------- Michael F. Kyle PHONE: (505) 667-3230 CIC/Advanced Computing Laboratory, MS B287 FAX: (505) 665-4939 Los Alamos, NM 87545 EMAIL: mikek () lanl gov
Current thread:
- Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
- Re: Web Site Hacks Paul McNabb (Dec 09)
(Thread continues...)