Re: [Full-Disclosure] Microsoft win2003server phone home
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: 08/04/03
- Previous message: mcw_at_wcd.se: "[Full-Disclosure] Re: FW: Please investigate (KMM6769685V17014L0KM)"
- In reply to: Mike Garegnani: "Re: [Full-Disclosure] Microsoft win2003server phone home"
- Next in thread: Orochford: "Re: [Full-Disclosure] Microsoft win2003server phone home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Mike Garegnani" <headhoncho@subverter.net> Date: Mon, 4 Aug 2003 12:29:23 -0500
"Mike Garegnani" writes:
> [snip]
> all that was posted was a guid, and not to mention it was a 404 so
> aside from your post showing up somewhere in a log it won't be used or
even
> seen for that matter. but it certainly can be a security issue.
> [snip]
Um, since when did 404's guarantee that data could not be seen? Take the
following Classic ASP:
<% @Language="VBScript" %>
<%
guid = Request.Query("guid")
Response.AddHeader("Status: 404 Not Found")
Response.Buffer = True
' TODO: Mess with 'guid'
Response.Clear
%>
You get an IIS 404 error, even though the script most certainly *DID* exist.
URLScan works in the exact same way -- returning 404s to requests for valid
resources. IMHO this makes identifying URLScan a piece of cake, but some of
its competitors are less subtle (e.g, SecureIIS).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: mcw_at_wcd.se: "[Full-Disclosure] Re: FW: Please investigate (KMM6769685V17014L0KM)"
- In reply to: Mike Garegnani: "Re: [Full-Disclosure] Microsoft win2003server phone home"
- Next in thread: Orochford: "Re: [Full-Disclosure] Microsoft win2003server phone home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
