[38104] in bugtraq
Santy and SSL
daemon@ATHENA.MIT.EDU (Ofer Shezaf)
Thu Jan 6 18:30:46 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 6 Jan 2005 16:39:47 -0500
Message-ID: <01FE74AA95A56946ADF84A4976618B97A1C1D3@utopiasystems.net>
From: "Ofer Shezaf" <Ofer.Shezaf@breach.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Since my company sells a product that decrypts SSL traffic in order to
enable intrusion detection systems to inspect it, I was looking for
examples of real world attacks hidden in SSL traffic.
As part of this research I examined Santy and found out that:
a. there are many phpBB sites protected by SSL:
I Just Googled something like: "inurl:https inurl:viewtopic
inurl:highlight", which is similar to the Santy search but also
requiring the page to be SSL protected and found 2000. Not enough to
spread a worm, but certainly enough to find some vulnerable sites to
deface.
b. Santy itself did not address SSL:
It parsed found URL using the pattern s#^http://##i (thus ignoring https
sites) and naturally also did not assume port 443 for https protocol.
Since modifying the code to handle SSL requires changing two lines, I
wondered if somebody has seen a variant or similar attack over SSL?
Ofer Shezaf
CTO, Breach Security
Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers@breach.com
www.breach.com
