[13421] in bugtraq
Re: IIS still revealing paths for web directories
daemon@ATHENA.MIT.EDU (Brock Tellier)
Wed Jan 19 12:11:06 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20000118170311.21244.qmail@nwcst294.netaddress.usa.net>
Date: Tue, 18 Jan 2000 11:03:09 CST
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
BTW, different error messages are given depending on whether or not the path
up to the idq file exists. In my brief testing:
http://www.example.com/exists/bah.ida
yields
The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found.
http://www.example.com/doesntexist/bah.ida
yields
File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find the path
specified.
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net
Frank Knobbe at Home <FKnobbe@HOME.COM> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: Chris Tobkin [mailto:tobkin@SOFTWARE.UMN.EDU]
> > Sent: Wednesday, January 12, 2000 2:08 PM
> >
> > > The same problem still exists on IIS4 (tested with SP5 -
> > didn't try on
> > > SP6).
> >
> > Still exists as far back as IIS3 also. (SP6a)
>
> Can't reproduce the problem with IIS3 and SP6.
>
> BTW: I'm running IIS3 on several servers without problems. I did not
> want to upgrade to IIS4 due to the complexity of its internal
> processes (and all those exploits that followed). My main complaint
> is still that I do not want to run IIS under the system account as
> IIS4 requires.
>
> Anyway, a time will come when we need to upgrade to W2K and IIS5.
> Does anyone have a comparison or analysis of IIS5 in respect to
> security (data channels, posting acceptors, etc)?
>
> Regards,
> Frank
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z
> /+V1C97k2f+QTjNw9YGgmA90
> =qq7D
> -----END PGP SIGNATURE-----
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
