Bugtraq mailing list archives

RE: XWT Foundation Advisory

From: "Thor Larholm" <thor () pivx com>
Date: Tue, 30 Jul 2002 11:50:40 +0200

From: Microsoft Security Response Center [mailto:secure () microsoft com]

<snip mitigating factors>

I for one am in agreement on this issue, especially with regards to
"Default" sites on e.g. IIS - it is very uncommon for anyone to serve
content from the "Default" site (without checking the Host header) these
days.

That's not to say that sites like support.microsoft.com does not do this as
it seems to operate on the "Default" site, neglecting the most important
mitigating factor.

I still quite fail to see the relevance to firewalls, as nothing is
circumvented - the administrator has explicitly allowed HTTP traffic on
(most often) port 80.

Out of plain curiosity, how is this fixed in IE6SP1 - as the Netscape team
fixed it by demanding both sites to set document.domain, regardless if one
is the parent?



Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

Current thread:

RE: XWT Foundation Advisory Microsoft Security Response Center (Jul 29)
- Re: XWT Foundation Advisory Peter Watkins (Jul 30)
- <Possible follow-ups>
- RE: XWT Foundation Advisory Thor Larholm (Jul 30)
  - Re: XWT Foundation Advisory Adam Megacz (Jul 30)
  - RE: XWT Foundation Advisory Jason Coombs (Jul 30)