> From: Microsoft Security Response Center [mailto:secure@microsoft.com] <snip mitigating factors> I for one am in agreement on this issue, especially with regards to "Default" sites on e.g. IIS - it is very uncommon for anyone to serve content from the "Default" site (without checking the Host header) these days. That's not to say that sites like support.microsoft.com does not do this as it seems to operate on the "Default" site, neglecting the most important mitigating factor. I still quite fail to see the relevance to firewalls, as nothing is circumvented - the administrator has explicitly allowed HTTP traffic on (most often) port 80. Out of plain curiosity, how is this fixed in IE6SP1 - as the Netscape team fixed it by demanding both sites to set document.domain, regardless if one is the parent? Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com
