Re: CVE-2009-0801

From: Emilio Casbas <ecasbas_at_s21sec.com>
Date: Wed, 18 Mar 2009 01:14:22 +0100

Kinkie escribió:
> On Tue, Mar 17, 2009 at 2:19 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
>> Basically: Host header forgery meets interception.
>>
>> What ideas/patches do we have floating around to solve it? I understand it's
>> an old problem.
>>
>> I'm throwing together a patch to verify the received dst IP is in the rDNS
>> for the Host: domain. But that's only raising the bar of difficulty, not
>> closing the hole.
>>
Same approach that SmootWhall is taking.
http://www.kb.cert.org/vuls/id/MAPG-7M6SM7

>
> It would be interesting to know what the commercial solutions which
> claim to be unaffected do to address the issue. Is there any
> information available on that?
>
No information available in any of "Not Vulnerable" products from
http://www.kb.cert.org/vuls/id/435052

Thanks
Emilio

Received on Wed Mar 18 2009 - 00:30:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 19 2009 - 12:00:03 MDT