[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Possibly OT - Telnet and HTTP

Subject: Re: [cobalt-security] Possibly OT - Telnet and HTTP
From: "Edward Bishop" <eddie@xxxxxxxxxxxxxxxx>
Date: Thu, 18 Oct 2001 19:20:56 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Thanks Graeme for this very helpful reply. Thanks also to Harald Kapper in
Austria who pointed out that the GET and HTTP parts are case-sensitive which
I didn't know.

Eddie Bishop

----- Original Message -----
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, October 18, 2001 3:33 PM
Subject: RE: [cobalt-security] Possibly OT - Telnet and HTTP


> Edward Bishop wrote:
>
> > The HTTP tutorials etc on the web all suggest that you telnet to a web
> > server to experiment with HTTP requests and responses, eg
> > telnet www.some-server.com 80
> > and then send
> > get /path/index.htm http/1.1
> >
> > but I can't get anything except 500, 501 and 502 errors. Has
> > anyone ever made this work?
>
> Erm, yes. Rather frequently!
>
> > Does it fail because everyone has disabled Telnet access for
> > security reasons? If so, how does the HTTP server tell the difference
> > between a browser and a Telnet client connecting to port 80?
>
> Disabling telnet as a *service* prevents you from connecting to the telnet
> server on port 23. You're using a telnet *client* to connect to port 80,
> hence the ' 80' after the IP address.
>
> You get the errors because you're asking for a HTTP/1.1 request and not
> specifying a hostname. Either do:
>
> telnet www.some-server.com 80
> <wait for connected banner>
> GET /path/file.html HTTP/1.1
> Host: www.some-server.com
>
> and hit return twice. Or:
>
> telnet www.some-server.com 80
> <wait for connected banner>
> GET /path/file.html HTTP/1.0
>
> and hit return twice. HTTP/1.1 was the extension to the HTTP protocol
which
> allows name-based, rather than IP-based, virtual hosting. It means you can
> have several virtual sites handled by the same server application on the
> same IP address, and is the way that pretty much all commercial hosting is
> done.
>
> Don't get confused between telnet as a *server* and telnet as a client.
When
> you use the telnet client to connect to port 80 of a webserver and feed it
> the correctly formatted query, the server doesn't know if you're a browser
> application or not. It just does as it's asked!
>
> HTH
>
> Graeme
> --
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- RE: [cobalt-security] Possibly OT - Telnet and HTTP
  - From: Graeme Fowler

Prev by Date: Re: [cobalt-security] Security violations - SPAM
Next by Date: Re: [cobalt-security] Security violations - SPAM
Previous by thread: RE: [cobalt-security] Possibly OT - Telnet and HTTP
Next by thread: [cobalt-security] How to check for Security Intrusions ?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index