Dear inge_eivind.henriksen (at) chello (dot) no [email concealed],
The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME
is untrusted data from Host: request header or from proxy-style HTTP
request (like in case of your example). SERVER_NAME is ALWAYS untrusted
data. The bug here is in the way SERVER_NAME is used in error page
genaration. So, you article should be called something like "Microsoft
IIS error page access validation weakness". If any script use
SERVER_NAME in this way, this is vulnerability of the script itself.
--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0
The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME
is untrusted data from Host: request header or from proxy-style HTTP
request (like in case of your example). SERVER_NAME is ALWAYS untrusted
data. The bug here is in the way SERVER_NAME is used in error page
genaration. So, you article should be called something like "Microsoft
IIS error page access validation weakness". If any script use
SERVER_NAME in this way, this is vulnerability of the script itself.
--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0
--
~/ZARAZA
Íî Ãàððè... ÿ áåçóñëîâíî îòäàþ ïðåäïî÷òåíèå åìó, çà
âûñîêóþ ïèòàòåëüíîñòü è êàêîå-òî îñîáåííî íåæíîå ìÿñî. (Òâåí)
[ reply ]