Full Disclosure mailing list archives
Re: Possibly a stupid question RPC over HTTP
From: Kevin <KKadow () gmail com>
Date: Thu, 14 Oct 2004 01:05:04 -0500
On Wed, 13 Oct 2004 15:33:13 -0700 (PDT), S G Masood <sgmasood () yahoo com> wrote:
Yeah, it certainly is a security risk in several ways. Decoding and inspecting HTTPS traffic at the perimeter before it reaches the server becomes an absolute necessity if RPC over HTTPS is implemented. Same with RPC over HTTP.
There was a Microsoft employee on-site for a few days this summer, and I noticed one day that he was reading MS email messages in Outlook 2003 (not OWA) from his laptop while connected to *our* private LAN. Any smart enterprise blocks all POP/IMAP/MAPI protocols both inbound and outbound, so this made me more than a bit suspicious... When I checked the proxy traffic from the DHCP address assigned to his laptop, I saw normal-lookup HTTP requests followed by additional RPC headers. Turns out the employee he was working with helpfully gave him the information to use the outbound proxy, and after configuring proxy settings in the control panel, it "just worked". Our visitor went back to Redmond before I could get approval from management to modify the firewall configuration to explicitly block RPC-over-HTTP :( Kevin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Possibly a stupid question RPC over HTTP Daniel Sichel (Oct 12)
- Re: Possibly a stupid question RPC over HTTP ASB (Oct 13)
- Re: Possibly a stupid question RPC over HTTP S G Masood (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Kevin (Oct 14)
- Re: Possibly a stupid question RPC over HTTP S G Masood (Oct 14)
- Re: Possibly a stupid question RPC over HTTP S G Masood (Oct 13)
- <Possible follow-ups>
- Re: Possibly a stupid question RPC over HTTP Daniel H. Renner (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Cory Whitesell (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Sean Milheim (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Barry Fitzgerald (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Shannon Johnston (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Byron L. Sonne (Oct 14)
- Re: Possibly a stupid question RPC over HTTP Maxime Ducharme (Oct 13)
- Re: Possibly a stupid question RPC over HTTP Rodrigo Barbosa (Oct 13)
- RE: Possibly a stupid question RPC over HTTP winter (Oct 14)
- Re: Possibly a stupid question RPC over HTTP Cory Whitesell (Oct 13)
(Thread continues...)
- Re: Possibly a stupid question RPC over HTTP ASB (Oct 13)