|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: nasty bug in wingate server, potential DOS.
From: Tony Langdon (tlangdon
ATCTRAINING.COM.AU)Date: Mon Jul 17 2000 - 17:44:26 CDT
- Next message: Aleph One: "New Allaire Security Zone Bulletins"
- Previous message: Conectiva Security: "CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils"
- Maybe in reply to: gregory duchemin: "nasty bug in wingate server, potential DOS."
- Maybe reply: Tony Langdon: "Re: nasty bug in wingate server, potential DOS."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> if someone submit a USER command like this:
>
> USER loginhost.domain127.0.0.1127.0.0.1
> PASS what3ver_u_want
This sounds like it could be worked around. In older versions of Wingate,
it was possible to bind a service to a specific interface, and applying
policies based on source IPs, so it should be possible to work around the
problem by:
1. Binding only the interface which will accept the connections from the
clients (normally on the inside of the firewall).
2. Setting a policy which denies connections from any of the machine's
local IP addresses (preventing this sort of relay loop).
I don't have this version of Wingate available, so can't test these
workarounds.
- Next message: Aleph One: "New Allaire Security Zone Bulletins"
- Previous message: Conectiva Security: "CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils"
- Maybe in reply to: gregory duchemin: "nasty bug in wingate server, potential DOS."
- Maybe reply: Tony Langdon: "Re: nasty bug in wingate server, potential DOS."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]