Kinkie escribió: > On Tue, Mar 17, 2009 at 2:19 PM, Amos Jeffries <[email protected]> wrote: > >> Basically: Host header forgery meets interception. >> >> What ideas/patches do we have floating around to solve it? I understand it's >> an old problem. >> >> I'm throwing together a patch to verify the received dst IP is in the rDNS >> for the Host: domain. But that's only raising the bar of difficulty, not >> closing the hole. >> Same approach that SmootWhall is taking. http://www.kb.cert.org/vuls/id/MAPG-7M6SM7
> > It would be interesting to know what the commercial solutions which > claim to be unaffected do to address the issue. Is there any > information available on that? > No information available in any of "Not Vulnerable" products from http://www.kb.cert.org/vuls/id/435052 Thanks Emilio
smime.p7s
Description: S/MIME Cryptographic Signature
