Re: PROPFIND

From: Gabriel Lawrence (gabe@butterflysecurity.com)
Date: 10/09/01 

Message-ID: <3BC35589.6000605@butterflysecurity.com>
Date: Tue, 09 Oct 2001 12:52:41 -0700
From: Gabriel Lawrence <gabe@butterflysecurity.com>
To: Joe Smith <shadowm4n@yahoo.com>
Subject: Re: PROPFIND

WebDav (Web-based Distributed Authoring and Versioning) is a standard
protocol that extends http protocol to allow users to colloboratively
edit and manage files on remote web servers.

This protocol is used by Msft web folders, front page, Office2k, and
other software. Msft is bullish on the protocol, it seems to offer a
good way to do all kinds of wide area colloboration.

So, I guess my short answer to your question is, if you are using some
apps that use webdav this is likely a valid request. In fact, my
recollection of the last propfind alert I read was long strings in the
xmlns entry, your grab looks fine in this respect. In fact, this payload
for the propfind query looks ok with my ever so quick glance.

I'm wondering are you trying to use outlook to access outlook web access
running on your server? I'm not too familiar with what msft offers with
outlook (I don't use it ;-) but from looking at the request it looks
like thats whats going on here. I'd be concerned if you don't want that
software to be used, but otherwise this looks like good traffic.

For more info on webdav check out www.webdav.org.

-gabe

Joe Smith wrote:

> I received a new query today that arachnids classifies
> as "IDS475/web-iis_web-webdav-propfind".
> Unfortunately, it seems that whitehats.com is down
> right now.
>
> Before today, I really didn't know what propfind was,
> and I still am not sure what I should be expecting.
> Is this a normal looking request to you?
>
> FYI, the webserver is running IIS 4.0 (not 5.0, which
> apparently is vulnerable to the DOS propfind
> vulnerability).
>
> Looking at the packet payload, I see this...
>
> PROPFIND /onlinehome/ HTTP/1.1
> Depth: 0
> Content-Type: text/xml
> Brief: t
> User-Agent: Outlook Express/5.0 (MSIE 5.0; Windows 98;
> DigExt)
> Host: www.mydomain.com
> Content-Length: 341
> Connection: Keep-Alive
>
> <?xml version="1.0"?>
> <D:propfind xmlns:D="DAV:"
> xmlns:h="http://schemas.microsoft.com/hotmail/"
> xmlns:hm="urn:schemas:httpmail:">
> .<D:prop>
> ..<h:adbar/>
> ..<hm:contacts/>
> ..<hm:inbox/>
> ..<hm:outbox/>
> ..<hm:sendmsg/>
> ..<hm:sentitems/>
> ..<hm:deleteditems/>
> ..<hm:drafts/>
> ..<hm:msgfolderroot/>
> ..<h:sig/>
> .</D:prop>
> </D:propfind>
>
> Any guidance would be appreciated.
>
> -Smith
>
>
> __________________________________________________
> Do You Yahoo!?
> NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> http://geocities.yahoo.com/ps/info1 

-- 
When strong encryption is illegal, only criminals will have it.

Quantcast