|
WebApp Sec
mailing list archives
Re: http://www.domainname.com./ (with the ending)
From: Mark Burnett <mb () xato net>
Date: Wed, 13 Apr 2005 19:36:51 -0600
Basically what you are doing is providing a domain name that it does not recognize. It therefore either tries the
default web site (either Under Construction or the actual web site) if one is configured or returns a 404 error if
there is no web site configured. If the site has URLScan installed, you will see the 400 error message. You would get
the same effect by browsing directly to the IP address of the web site and not providing a host header.
Mark Burnett
On Wed, 13 Apr 2005 10:52:31 -0400, Scovetta, Michael V wrote:
All--
I don't think this is anything to be concerned about, but I find it odd that some websites (looks like IIS-sites), if
you go to http://server./ (with a period appended), you usually get a "no web site configured", or "under
construction". I guess the browser ignores the last . and finds the name in DNS, but then puts the . in the Host
header. It looks like Apache ignores the . in the host header, so you go wind up seeing http://server/'s content even
though the URL says http://server./
For instance:
http://www.google.com./ Normal Google page
http://www.easyasphosting.com./ 400 - bad request
http://www.iviewstudio.com./ 404 - File Not Found (or "No web site is configured at this
address")
I'd assume that if you have multiple hosts configured, then the . throws it off.
It also looks like Firefox and IE both handle it the same way.
Sorry if this is a re-post-- I've never heard of this before, it just struck me as odd, and thought I should throw it
out there.
Regards,
Michael Scovetta
Computer Associates
Senior Application Developer
 By Date 
By Thread
Current thread:
|
Intro
