Bugtraq: Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 23 Aug 2005 14:19:24 +0400

Dear inge_eivind.henriksen () chello no,

The bug here is not in ability to spoof SERVER_NAME, because SERVER_NAME
is  untrusted  data  from  Host: request header or from proxy-style HTTP
request  (like in case of your example). SERVER_NAME is ALWAYS untrusted
data.  The  bug  here  is  in  the way SERVER_NAME is used in error page
genaration.  So,  you article should be called something like "Microsoft
IIS   error   page  access  validation  weakness".  If  any  script  use
SERVER_NAME in this way, this is vulnerability of the script itself.

--Monday, August 22, 2005, 7:23:08 PM, you wrote to bugtraq () securityfocus com:



ihcn> 6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
ihcn> GET http://localhost/test.asp HTTP/1.0


-- 
~/ZARAZA
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)

By Date By Thread

Current thread:

Remote IIS 5.x and IIS 6.0 Server Name Spoof inge_eivind . henriksen (Aug 22)
- Re: Remote IIS 5.x and IIS 6.0 Server Name Spoof 3APA3A (Aug 23)
- <Possible follow-ups>
- RE: Remote IIS 5.x and IIS 6.0 Server Name Spoof Sacha Faust (Aug 24)