Re: IIS logging issue

From: Rui Quintino (rui.quintino@DIGIDOC.PT)
Date: 11/22/01 

Message-ID:  <593D87C8EC48D411B55F00508B624E5560A6DD@THOR>
Date:         Thu, 22 Nov 2001 09:34:46 -0000
From: Rui Quintino <rui.quintino@DIGIDOC.PT>
Subject:      Re: IIS logging issue
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi there,

Just a note on this issue... don't know if it's interesting enough but well,
here it goes. After reading this I tested some of my web servers and I was
able to reproduce the behaviour with a %0D%0A sequence. Feature or not the
important thing is to be aware of it (I am now).

The other interesting thing is that is possible to make a GET request that
won't be fully logged (I searched the file in hex for the info and it's
really not there). For example http://server/page.asp%00PhantomString?id=1 .
%00 is taken as the end of the resource string, the page actually works as
expected, the querystring is correctly parsed but the log only shows GET
/Page.asp Id=1 200 etc etc etc (Phantomstring is really gone). How can this
be useful to an attacker...? I really don't know. I wasn't able to use this
in any useful way since IIS completely ignores the data after %00 (excluding
the querystring).

Any thoughts on this?

Rui Quintino
_______________________________
 
Rui Dias Quintino
Analista/Programador

Tel: +351 966149376
rquintino@portugalmail.pt
http://www24.brinkster.com/rquintino/
_______________________________
"It may roundly be asserted that human
ingenuity cannot concoct a cipher which human
ingenuity cannot resolve." - Edgar Allan Poe

-----Original Message-----
From: Jurjen Oskam [mailto:jurjen@QUADPRO.STUPENDOUS.ORG]
Sent: terça-feira, 20 de Novembro de 2001 19:17
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IIS logging issue

On Mon, Nov 19, 2001 at 05:20:35PM -0700, me@ONESEMICOLON.CJB.NET wrote:

> Log entries in the IIS logfile have the hex codes in a request translated
> to a character.
> /index%2easp becomes /index.asp and is shown as that in the logfile.
        [...]
> The %FF and %0A works when using MS-DOS's Edit.
> To make this work in WordPad which more likely will be used to view logs,
> replace %FF with %09.

Something like this was reported some time ago for the Apache webserver:
the reporter thought this was a vulnerability, although this behaviour was
prominently documented.

I don't know about the documentation of IIS, but this is IMHO no
vulnerability. As an administrator, I'd like to know what was sent to my
server, and I'd like to know when someone sends sequences like %09. If this
is translated to "readable" characters before they are logged, you lose
information.

Administrators need to be aware that logfiles can contain "raw"
information, and need to view logfiles with the appropriate tools.

If this isn't properly documented in the IIS documentation, then that
should be changed.

> FINAL NOTES
> These days logs are used very often to prove illegal activity. When logs
> cannot be trusted there is a serious problem: how else do you prove
> illegal activity?

When your logs are altered by translating incoming data to "readable"
format and as such don't even represent what was sent to the server in the
first place, they are much less trustworthy than "real" logs. "Altered"
logs don't tell what *really* happened: I think that is a much more serious
problem than that "raw" logs can confuse some text editors. 

--
      Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230
    8:04pm  up 23 days, 10:57,  1 user,  load average: 0.00, 0.00, 0.00

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate

Relevant Pages

  • RE: ASP security in HTML pages
    ... My opinion (since FastHosts didn't give me access to the logs) is that the ... "...The .Net Framework appeared to have become corrupted on the domain, ... > Framework is intalled after IIS is for example. ...
    (Security-Basics)
  • Re: Workstations are going offline! Help!
    ... Right about IIS, and right that the 0 indicates passwords never expire. ... Event logs are the first place to go for troubleshooting services for ... Settings -> Security Settings and click Password Policy. ... No errors on startup, no offline icons, synchronizing is ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot open the /connectcomputer site
    ... performancee logs and alerts service. ... There is no connectcomputer site in IIS. ... what errors are in the event logs on the server? ...
    (microsoft.public.windows.server.sbs)
  • Re: Page Cannot Be Displayed Errors
    ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ...
    (microsoft.public.inetserver.iis)
  • Re: IIS logging issue
    ... Subject: IIS logging issue ... > /index%2easp becomes /index.asp and is shown as that in the logfile. ... > These days logs are used very often to prove illegal activity. ... When your logs are altered by translating incoming data to "readable" ...
    (NT-Bugtraq)