[Zope] Banner Grabbing

Robert Segall roseg at apsis.ch
Tue Sep 30 22:40:21 EDT 2003


On Wednesday 01 October 2003 04:05, Jamie Heilman wrote:
> Robert Segall wrote:
> > Actually this is useful: if you have a proxy in front of Zope and it
> > passes the headers through unchanged any attacker will try to attack Zope
> > rather than the proxy. Of course, it won't work.
> >
> > This is a bit of "security through obscurity", but any little bit helps.
> > In the Pound logs we see every day quite a few nasty attempt against IIS
> > servers which fail because Pound rejects them...
>
> Stop.  Read what you've said, it doesn't make any sense.  You're
> claiming an attacker won't target your proxy server because it doesn't
> identify itself to the client.  Then you turn right around and admit
> you see several attempted IIS exploits in your logs every day.  Does
> your Zope server identify itself as IIS, does your gateway server?
> See where I'm going with this?

Sorry, I may have not written as clearly as I should have (it is late at 
night here and I'm trying to wrap up something else).

Imagine the setup where your web server is IIS (not Zope pretending to be 
one, but really IIS) and Pound is used as a proxy in front of it. Attackers 
who think they are dealing with IIS (because of the headers) try to attack it 
by the normal IIS-specific methods (mostly buffer overflows, Nimda/CodeRed). 
These attempts are caught and rejected by Pound - the log entries I was 
refering to.

Granted, this is not that much security, but still two separate systems 
attempting to validate the same request by different methods (once the proxy, 
then the actual web server) should be better than one.

It is also true that any proxy you use may introduce vulnerabilities of its 
own, which may be exploited. However, it is quite often the case that a proxy 
is a simpler piece of software than a web server, and thus easier to check 
for errors/vulnerabilities, and certainly easier to run in a root-jail, 
possibly on a separate machine.

Hope this clears up the misunderstanding.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904




More information about the Zope mailing list