Re: COELACANTH: Phreak Phishing Expedition]

From: Drew Copley (dcopley_at_EEYE.COM)
Date: 06/11/04

  • Next message: http-equiv_at_excite.com: "Notes: COELACANTH: Phreak Phishing Expedition"
    Date:         Fri, 11 Jun 2004 10:45:39 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

     

    > -----Original Message-----
    > From: Thor Larholm [mailto:thor@pivx.com]
    > Sent: Thursday, June 10, 2004 6:10 PM
    > To: Drew Copley; full-disclosure@lists.netsys.com;
    > bugtraq@securityfocus.com
    > Cc: ntbugtraq@listserv.ntbugtraq.com
    > Subject: RE: COELACANTH: Phreak Phishing Expedition]
    >
    > You can't replicate this with most other servers because the
    > Host header
    > is set to a non-existant site on most servers.
    >
    > Whenever IIS or Apache receives a request it will first locate the
    > proper site based on the IP adress being used, after which it will
    > lookup based on the Host header. In the case of e-gold, they
    > have simply
    > not specified a Host header for the IIS website that they configured.
    > You can send a HTTP request to e-gold.com with "Host: foobar"
    > and their
    > site still comes up, even though you should only get their site with a
    > header such as "Host: e-gold.com" or "Host: www.e-gold.com".
    >
    > HTTP 1.1 requires the use of a Host header and it is bad practice to
    > accept HTTP requests without a Host header that corresponds
    > to a locally
    > configured site.

    <snip>

    I use no host header and munged ones all the time, using custom
    clients and servers for testing. No one has a problem with this,
    not Apache, nor IIS, anyway. (I won't get on the subject of RFC
    compliancy except to say it is something quite often ignored...)

    I believe the bitlance solution this morning is correct. It is a magic
    dns
    issue. "whatevercraphere.com.yourmagicdnssite.com" being allowed
    is the problem.

    Very amusing situation in an academic kind of way...

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: http-equiv_at_excite.com: "Notes: COELACANTH: Phreak Phishing Expedition"

    Relevant Pages