[13448] in bugtraq
Re: IIS still revealing paths for web directories
daemon@ATHENA.MIT.EDU (Kevin Matthew)
Thu Jan 20 16:08:26 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.21.0001191351160.13460-100000@mail.wincom.net>
Date:         Wed, 19 Jan 2000 13:59:01 -0500
Reply-To: Kevin Matthew <kevinm@WINCOM.NET>
From: Kevin Matthew <kevinm@WINCOM.NET>
X-To:         Brock Tellier <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <20000118170311.21244.qmail@nwcst294.netaddress.usa.net>
Hello,
	There's another glitch when you have a password protected
webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida
When the root folder on that website is password protected you do not get
asked to authenticate but you just recieve the error like other
postings.  Ditto with guessing content of that folder the server would not
ask for the auth but just report a missing .ida file with full path of the
local file.
	IIS should ask for the password before giving out anything else.
Kevin Matthew <kevinm@wincom.net>
Windsor Information Network Company Limited (WINCOM)
4325 County Road 42, Unit 10
Windsor, Ontario N8A 6J3
____________________________________________________
Phone: 519.972.1007  Fax: 519.972.7009
On Tue, 18 Jan 2000, Brock Tellier wrote:
> BTW, different error messages are given depending on whether or not the path
> up to the idq file exists.  In my brief testing:
>
> http://www.example.com/exists/bah.ida
> yields
> The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found.
>
>
> http://www.example.com/doesntexist/bah.ida
> yields
> File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find the path
> specified.
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier@usa.net
>
> Frank Knobbe at Home <FKnobbe@HOME.COM> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > -----Original Message-----
> > > From: Chris Tobkin [mailto:tobkin@SOFTWARE.UMN.EDU]
> > > Sent: Wednesday, January 12, 2000 2:08 PM
> > >
> > > > The same problem still exists on IIS4 (tested with SP5 -
> > > didn't try on
> > > > SP6).
> > >
> > > Still exists as far back as IIS3 also. (SP6a)
> >
> > Can't reproduce the problem with IIS3 and SP6.
> >
> > BTW: I'm running IIS3 on several servers without problems. I did not
> > want to upgrade to IIS4 due to the complexity of its internal
> > processes (and all those exploits that followed). My main complaint
> > is still that I do not want to run IIS under the system account as
> > IIS4 requires.
> >
> > Anyway, a time will come when we need to upgrade to W2K and IIS5.
> > Does anyone have a comparison or analysis of IIS5 in respect to
> > security (data channels, posting acceptors, etc)?
> >
> > Regards,
> > Frank
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Personal Privacy 6.5.1
> > Comment: PGP or S/MIME (X.509) encrypted email preferred.
> >
> > iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z
> > /+V1C97k2f+QTjNw9YGgmA90
> > =qq7D
> > -----END PGP SIGNATURE-----
>
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
>