[19847] in bugtraq
Re: SurfControl Bypass Vulnerability
daemon@ATHENA.MIT.EDU (Ben Ford)
Mon Mar 26 13:54:03 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <3ABF4BCC.2030001@erisksecurity.com>
Date: Mon, 26 Mar 2001 06:01:48 -0800
Reply-To: Ben Ford <bford@ERISKSECURITY.COM>
From: Ben Ford <bford@ERISKSECURITY.COM>
X-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
The idea of IP based penetration is also flawed, in that you'd get the
default domain of the box anyways. Unless that default domain has an
index page to give you a choice of virtual hosts (and many/most don't),
you wouldn't be able to access the desired http://www.juicysex.com anyways.
-b
Dan Harkless wrote:
> Paul Cardon <paul@MOQUIJO.COM> writes:
>
>>> Whatever software is doing that should be converting the "hostname"
>>> into something it can match. A small amount of translation never
>>> goes astray. When that is done, evrything is either a hostname or
>>> a dotted-quad string and life is much easier.
>>
>> Chris and I recommended to the vendors that everything be translated to
>> a canonical form before matching (32-bit unsigned ints in network byte
>> order are tremendously unambiguous).
>
>
> A URL containing an IP address is not canonical for HTTP. HTTP 1.1 does
> virtual hosting via the "Host:" header, so multiple distinct servers can be
> on a single IP. If you restrict based on IP, you'll block access to both
> http://www.juicysex.com/ and http://www.bible-history.org/, should they both
> be on the same box.
>
> ----------------------------------------------------------------------
> Dan Harkless | To prevent SPAM contamination, please
> dan-bugtraq@dilvish.speed.net | do not mention this private email
> SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
