RE: IIS/Unicode and authentication box
From: Bryan Allerdice (bryan_allerdice@yahoo.com)Date: 07/25/01
- Previous message: Coffey, Christopher S.: "RE: Tool kit assembly"
- In reply to: Vladimir Parkhaev: "IIS/Unicode and authentication box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bryan Allerdice" <bryan_allerdice@yahoo.com> To: "Penetration Testers" <PEN-TEST@securityfocus.com> Subject: RE: IIS/Unicode and authentication box Date: Wed, 25 Jul 2001 16:09:58 -0400 Message-ID: <BGEALEDBHAGOPJFLFMODMEDOCEAA.bryan_allerdice@yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'd point out to the customer that there are ways to brute-force the
username and password. If someone were to find a legitimate username
and password by brute-force, then they could exploit whatever holes
his IIS installation has - Unicode or otherwise.
(You'll find a HTTP-Auth brute-forcer program called ObiWaN at
http://www.phenoelit.de/obiwan/)
BRYAN
- -----Original Message-----
From: Vladimir Parkhaev [mailto:vladimir@arobas.net]
Sent: Wednesday, July 25, 2001 9:03 AM
To: Penetration Testers
Subject: IIS/Unicode and authentication box
I am trying to show to a customer that his IIS server is vulnerable
to unicode exploits. However, access to his server is password
protected
(Require valid-user) I get "HTTP/1.1 401 Access Denied" and
"You are not authorized to view this page".
As far as I am concerned, having password box does mean he does
not have to patch his web server. How can I show that his box
is vulnerable? Anybody?
- --
print chr hex for qw +
2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A
44 38
37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20
20 31
44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44
0A +;
- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus Security Intelligence
Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities
please see:
https://alerts.securityfocus.com/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO18nkYQImHalSbbtEQLh2wCgoGZHsML3Z+FAlFZ+eAAR+61XwL0AoNBA
z76obD8zgpOllPeOYZFsR4g2
=cDA0
-----END PGP SIGNATURE-----
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Coffey, Christopher S.: "RE: Tool kit assembly"
- In reply to: Vladimir Parkhaev: "IIS/Unicode and authentication box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
