Re: IIS logging issue

From: Jurjen Oskam (jurjen@QUADPRO.STUPENDOUS.ORG)
Date: 11/20/01


Message-ID:  <20011120201700.B4935@quadpro.stupendous.org>
Date:         Tue, 20 Nov 2001 20:17:00 +0100
From: Jurjen Oskam <jurjen@QUADPRO.STUPENDOUS.ORG>
Subject:      Re: IIS logging issue
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On Mon, Nov 19, 2001 at 05:20:35PM -0700, me@ONESEMICOLON.CJB.NET wrote:

> Log entries in the IIS logfile have the hex codes in a request translated
> to a character.
> /index%2easp becomes /index.asp and is shown as that in the logfile.
        [...]
> The %FF and %0A works when using MS-DOS's Edit.
> To make this work in WordPad which more likely will be used to view logs,
> replace %FF with %09.

Something like this was reported some time ago for the Apache webserver:
the reporter thought this was a vulnerability, although this behaviour was
prominently documented.

I don't know about the documentation of IIS, but this is IMHO no
vulnerability. As an administrator, I'd like to know what was sent to my
server, and I'd like to know when someone sends sequences like %09. If this
is translated to "readable" characters before they are logged, you lose
information.

Administrators need to be aware that logfiles can contain "raw"
information, and need to view logfiles with the appropriate tools.

If this isn't properly documented in the IIS documentation, then that
should be changed.

> FINAL NOTES
> These days logs are used very often to prove illegal activity. When logs
> cannot be trusted there is a serious problem: how else do you prove
> illegal activity?

When your logs are altered by translating incoming data to "readable"
format and as such don't even represent what was sent to the server in the
first place, they are much less trustworthy than "real" logs. "Altered"
logs don't tell what *really* happened: I think that is a much more serious
problem than that "raw" logs can confuse some text editors.

--
      Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230
    8:04pm  up 23 days, 10:57,  1 user,  load average: 0.00, 0.00, 0.00

============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a ntivirus.com/smex2000_rebate



Relevant Pages

  • RE: ASP security in HTML pages
    ... My opinion (since FastHosts didn't give me access to the logs) is that the ... "...The .Net Framework appeared to have become corrupted on the domain, ... > Framework is intalled after IIS is for example. ...
    (Security-Basics)
  • Re: Workstations are going offline! Help!
    ... Right about IIS, and right that the 0 indicates passwords never expire. ... Event logs are the first place to go for troubleshooting services for ... Settings -> Security Settings and click Password Policy. ... No errors on startup, no offline icons, synchronizing is ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS logging issue
    ... Subject: IIS logging issue ... > /index%2easp becomes /index.asp and is shown as that in the logfile. ... I don't know about the documentation of IIS, ... > These days logs are used very often to prove illegal activity. ...
    (NT-Bugtraq)
  • Re: Page Cannot Be Displayed Errors
    ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ...
    (microsoft.public.inetserver.iis)
  • Re: Cannot open the /connectcomputer site
    ... performancee logs and alerts service. ... There is no connectcomputer site in IIS. ... what errors are in the event logs on the server? ...
    (microsoft.public.windows.server.sbs)