That's correct. Back in 2000-2001 I reported to Microsoft that they were using SERVER_NAME variable in some of their sample application which made some site even more vulnerable. Any server variable should be considered untrusted and validated like any other user input. This is the reason why our SecureObject product as been detecting server variable usage and protecting them automatically.
For more information visit http://www.spidynamics.com/products/devinspectso2003/index.html
Sacha Faust
Manager - SPILabs
S.P.I. Dynamics, Inc.
sfaust (at) spidynamics (dot) com [email concealed]
www.spidynamics.com
Secure. Protect. Inspect.
-----Original Message-----
From: 3APA3A [mailto:3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]]
Sent: August 23, 2005 6:19 AM
To: inge_eivind.henriksen (at) chello (dot) no [email concealed]
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof
Dear inge_eivind.henriksen (at) chello (dot) no [email concealed],
The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME is untrusted data from Host: request header or from proxy-style HTTP request (like in case of your example). SERVER_NAME is ALWAYS untrusted data. The bug here is in the way SERVER_NAME is used in error page genaration. So, you article should be called something like "Microsoft
IIS error page access validation weakness". If any script use
SERVER_NAME in this way, this is vulnerability of the script itself.
--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0
For more information visit http://www.spidynamics.com/products/devinspectso2003/index.html
Sacha Faust
Manager - SPILabs
S.P.I. Dynamics, Inc.
sfaust (at) spidynamics (dot) com [email concealed]
www.spidynamics.com
Secure. Protect. Inspect.
-----Original Message-----
From: 3APA3A [mailto:3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]]
Sent: August 23, 2005 6:19 AM
To: inge_eivind.henriksen (at) chello (dot) no [email concealed]
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof
Dear inge_eivind.henriksen (at) chello (dot) no [email concealed],
The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME is untrusted data from Host: request header or from proxy-style HTTP request (like in case of your example). SERVER_NAME is ALWAYS untrusted data. The bug here is in the way SERVER_NAME is used in error page genaration. So, you article should be called something like "Microsoft
IIS error page access validation weakness". If any script use
SERVER_NAME in this way, this is vulnerability of the script itself.
--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0
--
~/ZARAZA
îÏ çÁÒÒÉ... Ñ ÂÅÚÕÓÌÏ×ÎÏ ÏÔÄÁÀ ÐÒÅÄÐÏÞÔÅÎÉÅ ÅÍÕ, ÚÁ ×ÙÓÏËÕÀ ÐÉÔÁÔÅÌØÎÏÓÔØ É ËÁËÏÅ-ÔÏ ÏÓÏÂÅÎÎÏ ÎÅÖÎÏÅ ÍÑÓÏ. (ô×ÅÎ)
[ reply ]