[13632] in bugtraq
Re: Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory
daemon@ATHENA.MIT.EDU (Mnemonix)
Tue Feb 1 15:40:58 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <02d201bf6c80$bb8013d0$5802020a@cerberusinfosec.co.uk>
Date: Tue, 1 Feb 2000 06:51:13 -0000
Reply-To: Mnemonix <mnemonix@GLOBALNET.CO.UK>
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: "John D. Hardin" <jhardin@wolfenet.com>
To: BUGTRAQ@SECURITYFOCUS.COM
From: "John D. Hardin" <jhardin@wolfenet.com>
> On Fri, 28 Jan 2000, Mnemonix wrote:
>
> > > I apply the patch from Microsoft and it doesnt change the problem. I
test
> > > this after and the problem are the same
> > >
> > > *** WARNING ****
> > > Even if you have no .htw files on your system you're probably
> > > still vulnerable! A quick test to show if you are vulnerable:
> > > go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
> > > If you receive a message stating the "format of the QUERY_STRING
> > > is invalid" you _are_ vulnerable.
> >
> > This test is to see if you're vulnerable _before_ you apply the
> > patch. After you install the patch you _will_ still get the same
> > message.
>
> ...so what indicates that you *are not* vulnerable?
We'll - fairly long winded approach - therefore not a quick test:
create a file call test.txt and put it on the root of the drive where your
virtual root is found.
If one doesn't already exist create a static file - eg default.html and
place it in the root virtual directory.
Try to access test.txt by using one of the exploits now floating around.
If you manage it - then you're vulnerable s apply the patch. If you don't
then you're not and the patch is already installed or .htw is not linked to
webhits.dll
Cheers,
David Litchfield
http://www.cerberus-infosec.co.uk/
