[19832] in bugtraq
Re: SurfControl Bypass Vulnerability
daemon@ATHENA.MIT.EDU (Dan Harkless)
Mon Mar 26 01:22:56 2001
Message-ID: <200103240020.QAA12638@dilvish.speed.net>
Date: Fri, 23 Mar 2001 16:20:44 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Paul Cardon <paul@MOQUIJO.COM> of "Fri, 23 Mar 2001
11:34:50 EST." <3ABB7B2A.A9C5126@moquijo.com>
Paul Cardon <paul@MOQUIJO.COM> writes:
> > Whatever software is doing that should be converting the "hostname"
> > into something it can match. A small amount of translation never
> > goes astray. When that is done, evrything is either a hostname or
> > a dotted-quad string and life is much easier.
>
> Chris and I recommended to the vendors that everything be translated to
> a canonical form before matching (32-bit unsigned ints in network byte
> order are tremendously unambiguous).
A URL containing an IP address is not canonical for HTTP. HTTP 1.1 does
virtual hosting via the "Host:" header, so multiple distinct servers can be
on a single IP. If you restrict based on IP, you'll block access to both
http://www.juicysex.com/ and http://www.bible-history.org/, should they both
be on the same box.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
