The Inquirer-Home

Bug opens up Javascript browsers to hackers

Microsoft unmoved
Tue Jul 30 2002, 12:03
A RECENTLY-DISCOVERED vulnerability opens up Javascript-enabled browsers to make network PCs available to an external attacker.

But Microsoft has chosen to ignore it.

The hole was discovered by Adam Megacz and the details posted here yesterday.

"The exploit," says the posting, "allows an attacker to use any JavaScript-enabled web browser behind a firewall to retrieve content from (HTTP GET) and interact with (HTTP POST) any HTTP server behind the firewall. If the client in use is Microsoft Internet Explorer 5.0+, Mozilla, or Netscape 6.2+, the attacker can also make calls to SOAP or XML-RPC web services deployed behind the firewall."

As is usual, Mr Megacz made the browser makers aware of the problem thirty days ago but, as yet, none has come up with a fix. Expect hackers vereywhere to be fiddling with this little chink in the armoured Web, just because they can.

Microsoft PR department apparently said it would not issue a patch or hotfix, but would prefer to downplay the severity of the vulnerability instead.

SecurityFocus suggested the following work-around: "Web servers behind firewalls, " said Dave Ahmad, "should be configured to reject any HTTP requests with an unrecognized 'Host' header, rather than serving pages from the "default" virtual host. This can be accomplished without patches by creating a "default" virtual host with no content, and creating a name-based virtual server for each hostname which the server is intented to serve as."

Sysadmins, having had a glory day on Friday, may earn their bread today. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015