Hi Daniel & Daniel I agree this can lead to security holes.
There are ways to make it "more secure" (if you can call it secure), here are some links about this subject : (sorry for wrapped urls) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx http://www.scripting.com/98/04/stories/bobAtkinsonOnHttpPost.html http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/40018/MicrosoftExchangeOutlook_40018.html http://www.sanx.org/tipShow.asp?articleRef=117 http://www.kb.cert.org/vuls/id/698564 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807 http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci963557,00.html Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Daniel H. Renner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 13, 2004 11:37 AM Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP > Daniel, > > Could you please point out where you read this data? I would like to > see this one... > -- > Daniel H. Renner <[EMAIL PROTECTED]> > Los Angeles Computerhelp > > > On Tue, 2004-10-12 at 20:54, [EMAIL PROTECTED] > wrote: > > Message: 18 > > Date: Tue, 12 Oct 2004 12:41:56 -0700 > > From: "Daniel Sichel" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP > > > > This may just reflect my ignorance, but I read (and found hard to > > believe) that Microsoft has implemented RPC over HTTP. Is this not a > > HUGE security hole? If I understand it correctly it means that good old > > HTML or XML can invoke a process using standard web traffic (port 80)? > > Is there any permission checking done? what things can be invoked by RPC > > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am > > I right, and if so, how can I detect RPCs in web traffic to block this > > junk? Can ANY stateful packet filter see this stuff or is the pattern > > too broad in allowed RPCs? > > > > Again, I hope this is not a stupid question or inappropriate format for > > this, as somebody else recently said, there is already enough noise on > > this list. I would hate to see this list degenerate, it has been REALLY > > valuable to me as a network engineer on occaison. > > > > Thanks all, > > Dan Sichel > > Ponderosa telephone > > [EMAIL PROTECTED] > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html