Bugtraq mailing list archives
Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 23 Aug 2005 14:19:24 +0400
Dear inge_eivind.henriksen () chello no, The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME is untrusted data from Host: request header or from proxy-style HTTP request (like in case of your example). SERVER_NAME is ALWAYS untrusted data. The bug here is in the way SERVER_NAME is used in error page genaration. So, you article should be called something like "Microsoft IIS error page access validation weakness". If any script use SERVER_NAME in this way, this is vulnerability of the script itself. --Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq () securityfocus com: ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request: ihcn> GET http://localhost/test.asp HTTP/1.0 -- ~/ZARAZA Но Гарри... я безусловно отдаю предпочтение ему, за высокую питательность и какое-то особенно нежное мясо. (Твен)
Current thread:
- Remote IIS 5.x and IIS 6.0 Server Name Spoof inge_eivind . henriksen (Aug 22)
- Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof 3APA3A (Aug 23)
- <Possible follow-ups>
- RE: Remote IIS 5.x and IIS 6.0 Server Name Spoof Sacha Faust (Aug 24)