Michael Scovetta writes...
> I don't think this is anything to be concerned about, but I
> find it odd that some websites (looks like IIS-sites), if you
> go to http://server./ (with a period appended), you usually
> get a "no web site configured", or "under construction". I
> guess the browser ignores the last . and finds the name in
> DNS, but then puts the . in the Host header. It looks like
> Apache ignores the . in the host header, so you go wind up
> seeing http://server/'s content even though the URL says
> http://server./
>
> For instance:
> http://www.google.com./ Normal Google page
> http://www.easyasphosting.com./ 400 - bad request
> http://www.iviewstudio.com./ 404 - File Not
> Found (or "No web site is configured at this address")
>
> I'd assume that if you have multiple hosts configured, then
> the . throws it off.
Looks like you may have stumbled upon a new way (to me at least)
to fingerprint web servers. Anyone know what RFC 2616 (HTTP 1.1 spec)
says the behavior _should_ be for this (if it even mentions it at all).
I gotta run and have no time to look it up now, but intuition says
it should be ignored in the HOST header since its a valid DNS name.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin.Wall_at_qwest.com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
Received on Apr 13 2005
Intro
