Firewall Wizards mailing list archives

Re: Web Site Hacks

From: Nick Drage <maillists () smartways com>
Date: Thu, 04 Dec 1997 10:15:06 +0000

All,

<- big snip ->

On Tue, 2 Dec 1997, Edward Cracknell wrote:

Assuming the Web server is behind the firewall and only http is allowed:
a) The ability to run cgi-bin scripts or html form processing in a way
which will create an html page as output. (Many form-based pages take
input and produce a page for output). As a result, it might be possible
to create a page that contains a URL like: 
<A HREF=telnet://target.system.behi nd.firewall> Click here </A>
This would generally allow a telnet session from the web server to the
target system and the firewall rules of ONLY http allowed through would
not stop this.


At 13:59 03/12/97 -0500, Daniel Garcia wrote:

No, no, no, and again no.  This would allow a telnet session from the
web CLIENT to the target system.  Web server's don't follow links - 
people (and their web browsers) do.  The reminds me of some of the sillyisms
I saw with gopher where people thought if they accessed a gopher site
through a link somewhere else, they were really accessing it through
that link somewhere else.


I *think* what Edward meant was a web interface to telnet on the web-server
located behind the Firewall, rather than a telnet URL ( the HTML was
incorrect ).  Therefore the input and output of telnet running on the
web-server would be managed through the web-browser via Java or CGI or
whatever and so on.  I'm pretty sure this is possible but I don't have the
practical knowledge.  Anyone?  I've seen CGI interfaces to DOS prompts
before so I see no reason why this can't be done.

c) Attacks made to the DNS parent of your web site (ISP) to 'point'
traffic elsewhere

That's what you should be your own primary/secondary :)  (Or have access
to, trust your secondary)


Good point, basically you should be your own primary.


Nick Drage, LANlord, Smartways
http://www.nick.smartways.com

WARNING - no spellchecker, and this account is used
for mailing lists only use "nickd () smartways com"
for regularly checked email.  Thank you.

Current thread:

Web Site Hacks Edward Cracknell (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
  - Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- <Possible follow-ups>
- RE: Web Site Hacks Denis Gordon (Dec 03)
  - Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
  - Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
  - Re: Web Site Hacks Chad Schieken (Dec 05)
    - Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks David Kennedy (Dec 08)

(Thread continues...)