Are you talking about the BITS change? Where it does BITS over HTTP? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Daniel H. Renner > Sent: Wednesday, October 13, 2004 10:37 AM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Possibly a stupid question RPC > over HTTP > > Daniel, > > Could you please point out where you read this data? I would > like to see this one... > -- > Daniel H. Renner <[EMAIL PROTECTED]> Los Angeles > Computerhelp > > > On Tue, 2004-10-12 at 20:54, [EMAIL PROTECTED] > wrote: > > Message: 18 > > Date: Tue, 12 Oct 2004 12:41:56 -0700 > > From: "Daniel Sichel" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP > > > > This may just reflect my ignorance, but I read (and found hard to > > believe) that Microsoft has implemented RPC over HTTP. Is this not a > > HUGE security hole? If I understand it correctly it means > that good old > > HTML or XML can invoke a process using standard web traffic > (port 80)? > > Is there any permission checking done? what things can be > invoked by RPC > > over HTTP? Jeeze, to me it looks like the barn door is now > wide open. Am > > I right, and if so, how can I detect RPCs in web traffic to > block this > > junk? Can ANY stateful packet filter see this stuff or is > the pattern > > too broad in allowed RPCs? > > > > Again, I hope this is not a stupid question or > inappropriate format for > > this, as somebody else recently said, there is already > enough noise on > > this list. I would hate to see this list degenerate, it has > been REALLY > > valuable to me as a network engineer on occaison. > > > > Thanks all, > > Dan Sichel > > Ponderosa telephone > > [EMAIL PROTECTED] > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
