Suggest A Fix PC Support Forums > MS Alert: Javascript information disclose flaw

Full Version: MS Alert: Javascript information disclose flaw

Suggest A Fix PC Support Forums > Security > Security News and Warnings

Interceptor

Jul 30 2002, 11:55 AM

A vunerability was reported in Java enabled browsers (Microsoft Internet Explorer 5.0+, Mozilla, or Netscape 6.2+) operating behind firewalls.

A malicious user can use any JavaScript-enabled web browser behind a firewall to retrieve content from (HTTP GET) and interact with (HTTP POST) any HTTP server behind the firewall. If the client in use is Microsoft Internet Explorer 5.0+, Mozilla, or Netscape 6.2+, the attacker can also make calls to SOAP or XML-RPC web services deployed behind the firewall.

A suggested workaround to this vunerability is as follows: Web servers behind firewalls should be configured to reject any HTTP requests with an unrecognized 'Host' header, rather than serving pages from the "default" virtual host. This can be accomplished without patches by creating a "default" virtual host with no content, and creating a name-based virtual server for each hostname which the server is intented to serve as.

Reported by: Adam Megacz

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.