I've just noticed that if I connect to our
HTTPS-enabled Webmin server using HTTP instead of
HTTPS, I get an error page telling me to use the HTTPS
site. The HTTP headers look like this:
GET / HTTP/1.0
HTTP/1.0 200 Bad Request
Date: Tue, 26 Oct 2004 00:19:50 GMT
Well, that isn't quite correct is it? I mean -
shouldn't that be something other than HTTP 200? Like
either a 400 (Bad Request) or better yet - a 301 (Moved
Permanently) referencing the https URL.
The reason I found it was that I was running Nessus
against the box - and it HAMMERED port 10000 using HTTP
- trying to find broken/insecure web software/etc.
Obviously it can't get past that error page using HTTP.
Returning a 301 would have (probably) made Nessus turn
into HTTPS mode and allow it to continue with less
errors. Better for everyone :-)
Log in to post a comment.