Daniel, Could you please point out where you read this data? I would like to see this one... -- Daniel H. Renner <[EMAIL PROTECTED]> Los Angeles Computerhelp
On Tue, 2004-10-12 at 20:54, [EMAIL PROTECTED] wrote: > Message: 18 > Date: Tue, 12 Oct 2004 12:41:56 -0700 > From: "Daniel Sichel" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP > > This may just reflect my ignorance, but I read (and found hard to > believe) that Microsoft has implemented RPC over HTTP. Is this not a > HUGE security hole? If I understand it correctly it means that good old > HTML or XML can invoke a process using standard web traffic (port 80)? > Is there any permission checking done? what things can be invoked by RPC > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am > I right, and if so, how can I detect RPCs in web traffic to block this > junk? Can ANY stateful packet filter see this stuff or is the pattern > too broad in allowed RPCs? > > Again, I hope this is not a stupid question or inappropriate format for > this, as somebody else recently said, there is already enough noise on > this list. I would hate to see this list degenerate, it has been REALLY > valuable to me as a network engineer on occaison. > > Thanks all, > Dan Sichel > Ponderosa telephone > [EMAIL PROTECTED] > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
