Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Thor Larholm (thor_at_pivx.com)
Date: Tue Jul 30 2002 - 04:50:40 CDT
> From: Microsoft Security Response Center [mailto:securemicrosoft.com]
<snip mitigating factors>
I for one am in agreement on this issue, especially with regards to
"Default" sites on e.g. IIS - it is very uncommon for anyone to serve
content from the "Default" site (without checking the Host header) these
That's not to say that sites like support.microsoft.com does not do this as
it seems to operate on the "Default" site, neglecting the most important
I still quite fail to see the relevance to firewalls, as nothing is
circumvented - the administrator has explicitly allowed HTTP traffic on
(most often) port 80.
Out of plain curiosity, how is this fixed in IE6SP1 - as the Netscape team
fixed it by demanding both sites to set document.domain, regardless if one
is the parent?
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?