[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Creating a secret web site on IIS 5.x using Alternative Data Streams

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Creating a secret web site on IIS 5.x using Alternative Data Streams
From: "James C Slora Jr" <Jim.Slora@xxxxxxxx>
Date: Tue, 9 Aug 2005 11:12:17 -0400

Mitigation at the IIS server looks pretty straightforward.

URLScan in default configuration prevents access to ADS files, generating
the following log line:

Client at 10.1.1.100: URL contains sequence ':', which is disallowed.
Request will be rejected.  Site Instance='1', Raw
URL='/myremoteserver/help.gif:secret'

So you should see accesses in the IIS logs if you don't run URLScan, and
failed attempts in the URLScan logs if you do run it.

References:
- Creating a secret web site on IIS 5.x using Alternative Data Streams
  - From: inge_eivind . henriksen

Prev by Date: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
Next by Date: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation
Previous by thread: Creating a secret web site on IIS 5.x using Alternative Data Streams
Next by thread: Nate User Password Disclosed By Anonymous
Index(es):
- Date
- Thread