Re: [Full-disclosure] strange domain name in phishing email



On Tue, 14 Mar 2006, Chris Umphress wrote:

On 3/14/06, gboyce <gboyce@xxxxxxxxxxxx> wrote:
I tried this trick against my personal Apache 2 webserver, and got a 400
bad request as well. The apache log is showing "Client sent malformed
Host header".

It looks like Apache is getting the decimal host header, and doesn't
understand what to do with it. Oddly, the host mentioned in the initial
e-mail is also Apache, but it's Apache 1.3.

Is your Apache on windows server 1.x or 2.x?


I'll jump in and say that mine works works this way (If you want to
verify, it is http://1136002182/).

I am using Apache 1.3 and have several virtual hosts set up. Since
Apache returns the first virtual host if it doesn't match the names of
any of the other virtual hosts. That could be the determining factor
for why some work and others don't.

I have virtual hosts setup as well, and this behavior doesn't work for me.

I tested a few different servers, and what I've found is that Apache 1.3 accepts hosts defined in this manner. Apache 2.0 fails with a 400 error.

Greg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • New Module: Apache process/host manager
    ... "Apache Independent Virtual Hosts". ... the potential usefulness of this project and my current namespace. ... store host information in an SQL database, ... they mess up and their server doesn't start, ...
    (comp.lang.perl.misc)
  • [UNIX] Apache 2 Cross-Site Scripting
    ... A vulnerability exists in the SSI error pages of Apache 2.0 that involves ... This particular attack involves a lack of filtering on HTTP/1.1 "Host" ... Some browsers submit the malicious host header when parsing this request: ...
    (Securiteam)
  • Re: Need Help on setting up a small home site.
    ... > host a small website of mine.Howevery, this is the first time I have ... If you can follow the Apache ... configuration connections on the LAN side. ... > of the Apache HTTP server after it has been installed. ...
    (comp.infosystems.www.servers.unix)
  • Re: about DSA-2452-1 apache2 -- insecure default configuration
    ... What do you mean by site security? ... As Apache can be run in a multi-homed (virtual host) environmenet I can ... Fixing the sample scripts? ...
    (Debian-User)
  • Re: Obtaining the URL
    ... Not all subdomains will have a vhost entry for them in Apache, ... > Host: header is not filled in. ...
    (comp.lang.php)