Re: assessing IIS 5.0

On Tue, 5 Sep 2006 12:01:14 -0400
"Butler, Theodore" <Theodore.Butler@xxxxxxxxxxxxx> wrote:

The risk will be determined by the threat, and value of the associated
asset (web server and its content) coupled with its vulnerability. Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value
to replace). The vulnerability is only one part and only you know the
other 2 aspects.


Unfortunately, that calculation isn't possible for a third party to calculate and use in a vulnerability report. In reports, you will have an easier time if you just clearly state the category of the problem and the consequence of the problem. In this case, IIS revealing the internal IP address is a "systems configuration information disclosure, affecting Confidentiality".

Without understanding the security policy of the system being evaluated (IE, not provided, doesn't exist, etc), trying to assign a risk value/rating is presumptuous and baseless if not clearly defined in your report. If they don't give you a policy, then you should define your terms in your report so the reader can understand your logic behind assigning the value.

For example, if you were evaluating the system for PCI/SDP, they place a level 5 (Urgent) value to vulnerabilities affecting CIA system wide, level 4 (Critical) value to vulnerabilities affecting C system wide, or if sensitive content is being leaked (without defining sensitive), level 3 (Critical) value to vulnerabilities partial C of files or of security configuration information, availability issues, and other misc policy violations (such as being able to relay mail), level 2 (Medium) C related to non-security systems configuration information (IP addresses, server version information, etc), and level 1 (Low) to C related to open ports. --

If the system audited is held to PCI/SDP policy standards this finding could be a Level 2 (Medium) finding.

Best of luck,


Robert E. Lee
Chief Security Officer

phone: +46-(0)455-612-320
fax : +46-(0)455-13960
email: robert@xxxxxxxxxxxxx

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #102
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Media Player File Attachment Script Execution... ... Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability ... Abyss Web Server Malicious HTTP Request Information Disclosure... ...
  • SecurityFocus Microsoft Newsletter #95
    ... MICROSOFT VULNERABILITY SUMMARY ... BEA Systems WebLogic Server and Express Race Condition Denial... ... Key Focus KF Web Server Directory Contents Disclosure... ... KMMail Code Injection Vulnerability ...
  • SecurityFocus Microsoft Newsletter #93
    ... cyber attacks and bulletproof countermeasures to prevent attacks before ... MICROSOFT VULNERABILITY SUMMARY ... YaBB Invalid Topic Error Page Cross Site Scripting Vulnerability ... GameCheats Advanced Web Server Malformed HTTP Request Denial Of... ...
  • [NT] Xedus Webserver Directory Traversal and DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... The Xedus web server is vulnerable to a directory traversal. ... this vulnerability constitutes a denial of ...
  • RE: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
    ... The issue at hand stems from the fact that the web server in older ... If you set the snmp community string to anything other than the ... New HP Jetdirect SNMP password vulnerability when using Web ... -A Web Jetadmin "device password" had been set on the JetDirect card. ...