Firewall Wizards mailing list archives
Re: Web Site Hacks
From: Nick Drage <maillists () smartways com>
Date: Thu, 04 Dec 1997 10:15:06 +0000
All, <- big snip ->
On Tue, 2 Dec 1997, Edward Cracknell wrote:Assuming the Web server is behind the firewall and only http is allowed: a) The ability to run cgi-bin scripts or html form processing in a way which will create an html page as output. (Many form-based pages take input and produce a page for output). As a result, it might be possible to create a page that contains a URL like: <A HREF=telnet://target.system.behi nd.firewall> Click here </A> This would generally allow a telnet session from the web server to the target system and the firewall rules of ONLY http allowed through would not stop this.
At 13:59 03/12/97 -0500, Daniel Garcia wrote:
No, no, no, and again no. This would allow a telnet session from the web CLIENT to the target system. Web server's don't follow links - people (and their web browsers) do. The reminds me of some of the sillyisms I saw with gopher where people thought if they accessed a gopher site through a link somewhere else, they were really accessing it through that link somewhere else.
I *think* what Edward meant was a web interface to telnet on the web-server located behind the Firewall, rather than a telnet URL ( the HTML was incorrect ). Therefore the input and output of telnet running on the web-server would be managed through the web-browser via Java or CGI or whatever and so on. I'm pretty sure this is possible but I don't have the practical knowledge. Anyone? I've seen CGI interfaces to DOS prompts before so I see no reason why this can't be done.
c) Attacks made to the DNS parent of your web site (ISP) to 'point' traffic elsewhereThat's what you should be your own primary/secondary :) (Or have access to, trust your secondary)
Good point, basically you should be your own primary. Nick Drage, LANlord, Smartways http://www.nick.smartways.com WARNING - no spellchecker, and this account is used for mailing lists only use "nickd () smartways com" for regularly checked email. Thank you.
Current thread:
- Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
(Thread continues...)