Bugtraq mailing list archives
Re: nasty bug in wingate server, potential DOS.
From: tlangdon () ATCTRAINING COM AU (Tony Langdon)
Date: Tue, 18 Jul 2000 08:44:26 +1000
if someone submit a USER command like this: USER login@host.domain@127.0.0.1@127.0.0.1 PASS what3ver_u_want
This sounds like it could be worked around. In older versions of Wingate, it was possible to bind a service to a specific interface, and applying policies based on source IPs, so it should be possible to work around the problem by: 1. Binding only the interface which will accept the connections from the clients (normally on the inside of the firewall). 2. Setting a policy which denies connections from any of the machine's local IP addresses (preventing this sort of relay loop). I don't have this version of Wingate available, so can't test these workarounds.
Current thread:
- nasty bug in wingate server, potential DOS. gregory duchemin (Jul 14)
- <Possible follow-ups>
- Re: nasty bug in wingate server, potential DOS. Tony Langdon (Jul 17)