Re: Positive Technologies Security Advisory 2003-0307: DoS-attack in Kerio WinRoute Firewall

From: Peter Pentchev (roam@ringlet.net)
Date: 04/01/03

  • Next message: magistrat: "Css in Xoops module glossary 1.3.x"
    Date: Tue, 1 Apr 2003 10:49:58 +0300
    From: Peter Pentchev <roam@ringlet.net>
    To: Dmitry Maksimov <dmaksimov@ptsecurity.ru>
    
    
    

    On Mon, Mar 31, 2003 at 10:00:26AM +0400, Dmitry Maksimov wrote:
    [snip]
    > Positive Technologies reports that single simple HTTP request to Kerio
    > Winroute Firewall Web administration interface (TCP/4080)
    >
    > GET / HTTP/1.0
    > Authorization: Basic XXX
    >
    > instead of correct one:
    >
    > GET / HTTP/1.0
    > Host: server
    > Authorization: Basic XXX
    >
    >
    > causes 100% CPU utilization of attacked computer.

    Hmm. Correct me if I'm wrong, but IMHO version 1.0 of the HTTP protocol
    does *not* require a Host header in the request. The Host header is a
    requirement in HTTP/1.1 for virtual hosting, isn't it? Thus, an
    HTTP/1.0 request without a Host header is perfectly valid, and expected.
    This would mean that this application breaks not only on invalid
    requests, but also on legitimate ones.

    G'luck,
    Peter

    -- 
    Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
    PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
    Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
    I am jealous of the first word in this sentence.
    
    



  • Next message: magistrat: "Css in Xoops module glossary 1.3.x"

    Relevant Pages

    • Re: IIS 6.0 - no host header value - Are host header requests proc
      ... The packets may not be malformed - it may be that the end client is using a DNS server that is incorrectly configured. ... In the case that a request comes in with a host header that matches none of the websites on your machine, then IIS will look for a site that is listening with no host header value *and* specifically bound to the IP address that the request came in on. ...
      (microsoft.public.inetserver.iis.security)
    • [Full-Disclosure] RE: COELACANTH: Phreak Phishing Expedition]
      ... everybody ignores the host header. ... will cause bad request returns with some web servers. ... > security zone it should use to render the HTML. ...
      (Full-Disclosure)
    • RE: COELACANTH: Phreak Phishing Expedition]
      ... everybody ignores the host header. ... will cause bad request returns with some web servers. ... > security zone it should use to render the HTML. ...
      (Bugtraq)
    • RE: COELACANTH: Phreak Phishing Expedition]
      ... everybody ignores the host header. ... will cause bad request returns with some web servers. ... > security zone it should use to render the HTML. ...
      (Full-Disclosure)
    • host header names as security devices
      ... I am curious if the use of a host header name ... In the event of an HTTP request sent to the IP address (rather than to the ... hostname) of an IIS server running a web site configured with an IIS host ... match a configured host header name and there was no default site to return. ...
      (Focus-Microsoft)