RE: Creating a secret web site on IIS 5.x using Alternative Data Streams

From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 08/09/05

  • Next message: Marc Ruef: "Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation" 
    To: <bugtraq@securityfocus.com>
Date: Tue, 9 Aug 2005 11:12:17 -0400

    Mitigation at the IIS server looks pretty straightforward.

    URLScan in default configuration prevents access to ADS files, generating
    the following log line:

    Client at 10.1.1.100: URL contains sequence ':', which is disallowed.
    Request will be rejected. Site Instance='1', Raw
    URL='/myremoteserver/help.gif:secret'

    So you should see accesses in the IIS logs if you don't run URLScan, and
    failed attempts in the URLScan logs if you do run it.

  • Next message: Marc Ruef: "Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation"

    Relevant Pages

    • RE: IIS 5 Log FIle Question
      ... IIS 5 Log FIle Question ... Below is a snippet from the logs. ... Does the fact the it says <Rejected by urlscan> imply ... This E-mail and its attachments have been scanned for viruses before delivery. ...
      (Security-Basics)
    • IIS 5 Log FIle Question
      ... We are in the process of bringing our website in house. ... Below is a snippet from the logs. ... Does the fact the it says <Rejected by urlscan> imply ...
      (Security-Basics)
    • Re: URLScan tool
      ... Even after uninstalltion of URLscan tool also i am ... If the page was not disaplyed, there is *something* in the log file. ... sure you're looking at the web logs, and not the URLScan logs. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Funky Log entry
      ... Then I think you must have specified a differing install path - search for ... urlscan.ini - the logs should be in a sub folder (if not the log path with ... >>I know the urlscan part but where is this come from ...
      (microsoft.public.inetserver.iis.security)
    • Re: Changing default header
      ... There are other things your IIS server does to leak the version and OS, ... >> running IIS, and a worm or a script kiddie isn't likely to care or check ... >>> Supposedly you can do it with URLScan, but I'd like to remove this ... >>> Greg Kelley ...
      (microsoft.public.inetserver.iis.security)