Bugtraq mailing list archives
Re: SurfControl Bypass Vulnerability
From: Ben Ford <bford () ERISKSECURITY COM>
Date: Mon, 26 Mar 2001 06:01:48 -0800
The idea of IP based penetration is also flawed, in that you'd get the default domain of the box anyways. Unless that default domain has an index page to give you a choice of virtual hosts (and many/most don't), you wouldn't be able to access the desired http://www.juicysex.com anyways. -b Dan Harkless wrote:
Paul Cardon <paul () MOQUIJO COM> writes:Whatever software is doing that should be converting the "hostname" into something it can match. A small amount of translation never goes astray. When that is done, evrything is either a hostname or a dotted-quad string and life is much easier.Chris and I recommended to the vendors that everything be translated to a canonical form before matching (32-bit unsigned ints in network byte order are tremendously unambiguous).A URL containing an IP address is not canonical for HTTP. HTTP 1.1 does virtual hosting via the "Host:" header, so multiple distinct servers can be on a single IP. If you restrict based on IP, you'll block access to both http://www.juicysex.com/ and http://www.bible-history.org/, should they both be on the same box. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq () dilvish speed net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- SurfControl Bypass Vulnerability Witter, Franklin (Mar 21)
- Re: SurfControl Bypass Vulnerability skelly (Mar 22)
- Re: SurfControl Bypass Vulnerability Don Weber (Mar 22)
- <Possible follow-ups>
- Re: SurfControl Bypass Vulnerability Witter, Franklin (Mar 22)
- Re: SurfControl Bypass Vulnerability Chris St. Clair (Mar 22)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)
- Re: SurfControl Bypass Vulnerability Paul Cardon (Mar 23)
- Re: SurfControl Bypass Vulnerability Dan Harkless (Mar 25)
- Re: SurfControl Bypass Vulnerability Ben Ford (Mar 26)
- Re: SurfControl Bypass Vulnerability Valdis Kletnieks (Mar 26)
- Re: SurfControl Bypass Vulnerability c0ncept (Mar 26)
- Re: SurfControl Bypass Vulnerability Ryan Russell (Mar 26)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)