PROPFIND
From: Joe Smith (shadowm4n@yahoo.com)Date: 10/09/01
- Previous message: Oliver Friedrichs: "ARIS extractor 1.5"
- Next in thread: Gabriel Lawrence: "Re: PROPFIND"
- Reply: Gabriel Lawrence: "Re: PROPFIND"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20011009182406.822.qmail@web20101.mail.yahoo.com> Date: Tue, 9 Oct 2001 11:24:06 -0700 (PDT) From: Joe Smith <shadowm4n@yahoo.com> Subject: PROPFIND To: focus-ids@securityfocus.com
I received a new query today that arachnids classifies
as "IDS475/web-iis_web-webdav-propfind".
Unfortunately, it seems that whitehats.com is down
right now.
Before today, I really didn't know what propfind was,
and I still am not sure what I should be expecting.
Is this a normal looking request to you?
FYI, the webserver is running IIS 4.0 (not 5.0, which
apparently is vulnerable to the DOS propfind
vulnerability).
Looking at the packet payload, I see this...
PROPFIND /onlinehome/ HTTP/1.1
Depth: 0
Content-Type: text/xml
Brief: t
User-Agent: Outlook Express/5.0 (MSIE 5.0; Windows 98;
DigExt)
Host: www.mydomain.com
Content-Length: 341
Connection: Keep-Alive
<?xml version="1.0"?>
<D:propfind xmlns:D="DAV:"
xmlns:h="http://schemas.microsoft.com/hotmail/"
xmlns:hm="urn:schemas:httpmail:">
.<D:prop>
..<h:adbar/>
..<hm:contacts/>
..<hm:inbox/>
..<hm:outbox/>
..<hm:sendmsg/>
..<hm:sentitems/>
..<hm:deleteditems/>
..<hm:drafts/>
..<hm:msgfolderroot/>
..<h:sig/>
.</D:prop>
</D:propfind>
Any guidance would be appreciated.
-Smith
__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
- Previous message: Oliver Friedrichs: "ARIS extractor 1.5"
- Next in thread: Gabriel Lawrence: "Re: PROPFIND"
- Reply: Gabriel Lawrence: "Re: PROPFIND"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
