On Mon, Mar 31, 2003 at 10:00:26AM +0400, Dmitry Maksimov wrote: [snip] > Positive Technologies reports that single simple HTTP request to Kerio > Winroute Firewall Web administration interface (TCP/4080) > > GET / HTTP/1.0 > Authorization: Basic XXX > > instead of correct one: > > GET / HTTP/1.0 > Host: server > Authorization: Basic XXX > > > causes 100% CPU utilization of attacked computer.
Hmm. Correct me if I'm wrong, but IMHO version 1.0 of the HTTP protocol does *not* require a Host header in the request. The Host header is a requirement in HTTP/1.1 for virtual hosting, isn't it? Thus, an HTTP/1.0 request without a Host header is perfectly valid, and expected. This would mean that this application breaks not only on invalid requests, but also on legitimate ones. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am jealous of the first word in this sentence.
pgp00000.pgp
Description: PGP signature
