"Thor Larholm" <thorat_private> writes: > I for one am in agreement on this issue, especially with regards to > "Default" sites on e.g. IIS - it is very uncommon for anyone to > serve content from the "Default" site (without checking the Host > header) these days. On the public Internet, you are correct. On private networks, however, exactly the opposite is true. NameVirtualHosts are only used when you need to have more than one site on a given IP. On a private network, you are not bound by ARIN's limitations -- IPs are plentiful. Because of this, most intranet sites *do* run off of the "default" Host. Also, most SOAP web services do not check the Host header. > I still quite fail to see the relevance to firewalls, as nothing is > circumvented - the administrator has explicitly allowed HTTP traffic > on (most often) port 80. The administrator has assumed that only hosts on the private, internal network can access the site. With this exploit, any person anywhere on the public internet can access content on HTTP servers, or call SOAP web services on the private network. Every corporation I've ever worked for depended on this internal/external distinction for security in some way. I don't advocate this, but it's a very common practice. - a -- Sick of HTML user interfaces? www.xwt.org Some people don't care if the pie is smaller, so long as they still get all of it.
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 14:40:27 PDT