[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
- From: "Daniel H. Renner" <dan@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Oct 2004 11:37:12 -0400
Daniel,
Could you please point out where you read this data? I would like to
see this one...
--
Daniel H. Renner <dan@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Los Angeles Computerhelp
On Tue, 2004-10-12 at 20:54, full-disclosure-request@xxxxxxxxxxxxxxxx
wrote:
> Message: 18
> Date: Tue, 12 Oct 2004 12:41:56 -0700
> From: "Daniel Sichel" <daniels@xxxxxxxxxxxxxxxx>
> To: <full-disclosure@xxxxxxxxxxxxxxxx>
> Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP
>
> This may just reflect my ignorance, but I read (and found hard to
> believe) that Microsoft has implemented RPC over HTTP. Is this not a
> HUGE security hole? If I understand it correctly it means that good old
> HTML or XML can invoke a process using standard web traffic (port 80)?
> Is there any permission checking done? what things can be invoked by RPC
> over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am
> I right, and if so, how can I detect RPCs in web traffic to block this
> junk? Can ANY stateful packet filter see this stuff or is the pattern
> too broad in allowed RPCs?
>
> Again, I hope this is not a stupid question or inappropriate format for
> this, as somebody else recently said, there is already enough noise on
> this list. I would hate to see this list degenerate, it has been REALLY
> valuable to me as a network engineer on occaison.
>
> Thanks all,
> Dan Sichel
> Ponderosa telephone
> daniels@xxxxxxxxxxxxxxxx
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html