On Tue, Mar 17, 2009 at 2:19 PM, Amos Jeffries <[email protected]> wrote:
> Basically: Host header forgery meets interception.
>
> What ideas/patches do we have floating around to solve it? I understand it's
> an old problem.
>
> I'm throwing together a patch to verify the received dst IP is in the rDNS
> for the Host: domain. But that's only raising the bar of difficulty, not
> closing the hole.
It would be interesting to know what the commercial solutions which
claim to be unaffected do to address the issue. Is there any
information available on that?
--
/kinkie
