Brian Steele wrote:
>
> For that to work, the "arbitrary commands" in the buffer-overflow exploit
> will have to set up an app listening on port 80 - the same port as the
> webserver, AND send and receive traffic using HTTP. May be possible, but
> sounds a bit far-fetched. The same-port issue might be the largest
> stumbling block.
>
> And the sample scripts are typically removed from any secure IIS
> installation anyway :-).
I agree that the proxy makes an attack more difficult and that it is a
good protection mechanism because it requires the traffic to look like
HTTP. However, you better not be permitting any other protocols to the
web server that do not pass through the proxy or that do but use a
plug-gw type mechanism that doesn't do content inspection to make sure
that the traffic really does conform to that application protocol. That
is the path you would take to provide a remote shell rather than going
through the trouble of using httptunnel.
With some IIS vulnerabilities it has been possible to gain significant
access to the web server even with a tight proxy configuration. This is
not a theoretical situation. I have done it and seen it done. Putting
the web server behind the proxy is a bad idea if you don't isolate the
web server from the rest of your internal network, otherwise I'm all for
it.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
