Re: IIS logging issue
From: Jurjen Oskam (jurjen@QUADPRO.STUPENDOUS.ORG)Date: 11/20/01
- Previous message: Nsfocus Security Team: "NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability"
- In reply to: me@ONESEMICOLON.CJB.NET: "IIS logging issue"
- Next in thread: Rui Quintino: "Re: IIS logging issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20011120201700.B4935@quadpro.stupendous.org> Date: Tue, 20 Nov 2001 20:17:00 +0100 From: Jurjen Oskam <jurjen@QUADPRO.STUPENDOUS.ORG> Subject: Re: IIS logging issue To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Mon, Nov 19, 2001 at 05:20:35PM -0700, me@ONESEMICOLON.CJB.NET wrote:
> Log entries in the IIS logfile have the hex codes in a request translated
> to a character.
> /index%2easp becomes /index.asp and is shown as that in the logfile.
[...]
> The %FF and %0A works when using MS-DOS's Edit.
> To make this work in WordPad which more likely will be used to view logs,
> replace %FF with %09.
Something like this was reported some time ago for the Apache webserver:
the reporter thought this was a vulnerability, although this behaviour was
prominently documented.
I don't know about the documentation of IIS, but this is IMHO no
vulnerability. As an administrator, I'd like to know what was sent to my
server, and I'd like to know when someone sends sequences like %09. If this
is translated to "readable" characters before they are logged, you lose
information.
Administrators need to be aware that logfiles can contain "raw"
information, and need to view logfiles with the appropriate tools.
If this isn't properly documented in the IIS documentation, then that
should be changed.
> FINAL NOTES
> These days logs are used very often to prove illegal activity. When logs
> cannot be trusted there is a serious problem: how else do you prove
> illegal activity?
When your logs are altered by translating incoming data to "readable"
format and as such don't even represent what was sent to the server in the
first place, they are much less trustworthy than "real" logs. "Altered"
logs don't tell what *really* happened: I think that is a much more serious
problem than that "raw" logs can confuse some text editors.
--
Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230
8:04pm up 23 days, 10:57, 1 user, load average: 0.00, 0.00, 0.00
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Nsfocus Security Team: "NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability"
- In reply to: me@ONESEMICOLON.CJB.NET: "IIS logging issue"
- Next in thread: Rui Quintino: "Re: IIS logging issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
