[13476] in bugtraq
Re: IIS still revealing paths for web directories
daemon@ATHENA.MIT.EDU (Michael Howard)
Fri Jan 21 15:47:15 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_0101_01BF634A.4E4ECCA0"
Message-Id: <BBE1B65AF746D111868B00805FFEEF641D727279@RED-MSG-53>
Date: Thu, 20 Jan 2000 13:28:46 -0800
Reply-To: Michael Howard <mikehow@MICROSOFT.COM>
From: Michael Howard <mikehow@MICROSOFT.COM>
X-To: Kevin Matthew <kevinm@WINCOM.NET>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0101_01BF634A.4E4ECCA0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
what auth schemes are you using? if you've already used basic auth and
the .ida stuff is in the same realm as the previous basic auth realm
then you won't get prompted until you either (a) switch realms or (b)
use another auth scheme.
Cheers, Michael Howard
Windows 2000 Security
Got an 'Access Denied' problem? Check the appropriate logs first!
-----Original Message-----
From: Kevin Matthew [mailto:kevinm@WINCOM.NET]
Sent: Wednesday, January 19, 2000 10:59 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: IIS still revealing paths for web directories
Hello,
There's another glitch when you have a password protected
webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida
When the root folder on that website is password protected you do not
get
asked to authenticate but you just recieve the error like other
postings. Ditto with guessing content of that folder the server would
not
ask for the auth but just report a missing .ida file with full path of
the
local file.
IIS should ask for the password before giving out anything else.
Kevin Matthew <kevinm@wincom.net>
Windsor Information Network Company Limited (WINCOM)
4325 County Road 42, Unit 10
Windsor, Ontario N8A 6J3
____________________________________________________
Phone: 519.972.1007 Fax: 519.972.7009
On Tue, 18 Jan 2000, Brock Tellier wrote:
> BTW, different error messages are given depending on whether or not
the path
> up to the idq file exists. In my brief testing:
>
> http://www.example.com/exists/bah.ida
> yields
> The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found.
>
>
> http://www.example.com/doesntexist/bah.ida
> yields
> File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find
the path
> specified.
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier@usa.net
>
> Frank Knobbe at Home <FKnobbe@HOME.COM> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > -----Original Message-----
> > > From: Chris Tobkin [mailto:tobkin@SOFTWARE.UMN.EDU]
> > > Sent: Wednesday, January 12, 2000 2:08 PM
> > >
> > > > The same problem still exists on IIS4 (tested with SP5 -
> > > didn't try on
> > > > SP6).
> > >
> > > Still exists as far back as IIS3 also. (SP6a)
> >
> > Can't reproduce the problem with IIS3 and SP6.
> >
> > BTW: I'm running IIS3 on several servers without problems. I did not
> > want to upgrade to IIS4 due to the complexity of its internal
> > processes (and all those exploits that followed). My main complaint
> > is still that I do not want to run IIS under the system account as
> > IIS4 requires.
> >
> > Anyway, a time will come when we need to upgrade to W2K and IIS5.
> > Does anyone have a comparison or analysis of IIS5 in respect to
> > security (data channels, posting acceptors, etc)?
> >
> > Regards,
> > Frank
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Personal Privacy 6.5.1
> > Comment: PGP or S/MIME (X.509) encrypted email preferred.
> >
> > iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z
> > /+V1C97k2f+QTjNw9YGgmA90
> > =qq7D
> > -----END PGP SIGNATURE-----
>
>
> ____________________________________________________________________
> Get free email and a permanent address at
http://www.netaddress.com/?N=1
>
------=_NextPart_000_0101_01BF634A.4E4ECCA0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF3jCCAsIw
ggIroAMCAQICAwHA0DANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE
CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx
OTk5LjkuMTYwHhcNOTkxMjAxMjMxMjQ4WhcNMDAxMTMwMjMxMjQ4WjBiMQ8wDQYDVQQEEwZIb3dh
cmQxEDAOBgNVBCoTB01pY2hhZWwxFzAVBgNVBAMTDk1pY2hhZWwgSG93YXJkMSQwIgYJKoZIhvcN
AQkBFhVtaWtlaG93QG1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYK
oXyl6I4H5296NPsyNnef5TRdcFL/646dZl+4q0LzUTn96wBVisskVl19xR31szqrBjc0kuLWBVNX
dv0hNeCT4IBYgC1TX1vsvbGSiFWer5/En3xgxHG94k41LE9gFql983UJDYNga3w7p9/tQYMV3tKE
LMX3zL3fNbcjydHFAgMBAAGjUzBRMCAGA1UdEQQZMBeBFW1pa2Vob3dAbWljcm9zb2Z0LmNvbTAM
BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIir8WCDZlX05FjHRh3AYb0j18OMMA0GCSqGSIb3DQEB
BAUAA4GBABDye9MyMkotv3FV+DDhQtflmm4jj7o3hgapUCjNci9n5U/oE+i9K8ClvNBUYXu3zS+l
tXB5T22Eg3gZV9S/iggpdkpKOcq0MAonEMMdi2QaY/H5nUGqaxgehtFzg/4Sm9wGFMVrNQpQbQ+m
8X9TLpI+Ray+u+uyQGIrQspBmNgJMIIDFDCCAn2gAwIBAgIBCzANBgkqhkiG9w0BAQQFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRow
GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZI
hvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk5MDkxNjE0MDE0MFoXDTAx
MDkxNTE0MDE0MFowgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNV
BAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl
cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCzaVqX1NAWC3q1xV3pIZwjcs0STEv3fs/H+8pyJPRCUqxXleN7
YXoXhOf9cjk4lLTq7WWnkgZeveBl9hm7lHl2TD65aHB1hBz0EXQAvAUsTwkDFzHM9EHUcsamXeKI
RLCLLsRN8fDWhT5s85WUeJF+QOmc0Y0VV47Cc+Uw3kb1TwIDAQABozcwNTASBgNVHRMBAf8ECDAG
AQH/AgEAMB8GA1UdIwQYMBaAFHJJwnM0xlX0C3ZygX539IfnxrIOMA0GCSqGSIb3DQEBBAUAA4GB
AGvGWekx+um27LED2N9ycv6RYEjqxlXde/BnjsZhcOdtwqU32J23FyhWBYvdXHVvxpGQxmxmcRPQ
EHxrkW+G4CE2LcHX6rIJrc8tbcaDUpv7u/6ch538t+l0kuRcl678fqzKDW9yemcsa3P1hvmd9QBu
9B0Hzp2egmMp75MJflXeMYICrjCCAqoCAQEwgZwwgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX
ZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNV
BAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg
MTk5OS45LjE2AgMBwNAwCQYFKw4DAhoFAKCCAWcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMDAwMTIwMjEyODU4WjAjBgkqhkiG9w0BCQQxFgQUmCg+uhAsNG9lOval
vnkGQ+Xdl3QwWAYJKoZIhvcNAQkPMUswSTANBggqhkiG9w0DAgIBKDAKBggqhkiG9w0DBzAOBggq
hkiG9w0DAgICAIAwBwYFKw4DAgcwBwYFKw4DAhowCgYIKoZIhvcNAgUwga0GCSsGAQQBgjcQBDGB
nzCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVy
YmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMx
KDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYCAwHA0DANBgkqhkiG9w0B
AQEFAASBgExTY/6rCH1Y2au0PhZEeZfNAqev2GqrPLpQyF6A62qkLIdNu9Q5tz/GNU9C9y7eF2ZW
4n4VE8J6lgvOTDs3B+T6VUGLsr8M94c7VxJZAp0mD06s3LNblpYUKLfdoYQ5NqGIbZtBTto2UvfZ
/v2Q8zKKmo4z0TP+D9H5pWAlYYatAAAAAAAA
------=_NextPart_000_0101_01BF634A.4E4ECCA0--
