|
WebApp Sec
mailing list archives
RE: http://www.domainname.com./ (with the ending)
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 13 Apr 2005 18:53:36 -0500
Michael Scovetta writes...
I don't think this is anything to be concerned about, but I
find it odd that some websites (looks like IIS-sites), if you
go to http://server./ (with a period appended), you usually
get a "no web site configured", or "under construction". I
guess the browser ignores the last . and finds the name in
DNS, but then puts the . in the Host header. It looks like
Apache ignores the . in the host header, so you go wind up
seeing http://server/'s content even though the URL says
http://server./
For instance:
http://www.google.com./ Normal Google page
http://www.easyasphosting.com./ 400 - bad request
http://www.iviewstudio.com./ 404 - File Not
Found (or "No web site is configured at this address")
I'd assume that if you have multiple hosts configured, then
the . throws it off.
Looks like you may have stumbled upon a new way (to me at least)
to fingerprint web servers. Anyone know what RFC 2616 (HTTP 1.1 spec)
says the behavior _should_ be for this (if it even mentions it at all).
I gotta run and have no time to look it up now, but intuition says
it should be ignored in the HOST header since its a valid DNS name.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin.Wall () qwest com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
 By Date 
By Thread
Current thread:
|
Intro
