Re: Can't get rid of localstart.asp
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/11/05
- Previous message: SteveC: "Can't get rid of localstart.asp"
- In reply to: SteveC: "Can't get rid of localstart.asp"
- Next in thread: SteveC: "Re: Can't get rid of localstart.asp"
- Reply: SteveC: "Re: Can't get rid of localstart.asp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 11 Jun 2005 14:00:22 GMT
On Fri, 10 Jun 2005 14:37:02 -0700, SteveC
<SteveC@discussions.microsoft.com> wrote:
>I have deleted the localstart.asp file from my web server because of the
>vulnerablity associated with a brute force attack on localstart.asp. This
>server is my OWA server. Everything works fine but, my vulnerability scans
>continue to show the localstart.asp vulnerability. When I go to
>https://webservername/localstart.asp, I am prompted for a username and
>password which is the reason I am being flagged by my scanner. I have checked
>everywhere on the server and the localstart.asp file is no where on it. Why
>would I be prompted for authentication when the file does not exist? More
>importantly, how do I stop it?
The authentication may be unrelated to the actual file requested.
Have you tried requesting another file which also doesn't exist?
FWIW, you can eliminate any vulnerability by saving a file as
localstart.asp which does nothing but display a text message that the
file does not exist.
Jeff
- Previous message: SteveC: "Can't get rid of localstart.asp"
- In reply to: SteveC: "Can't get rid of localstart.asp"
- Next in thread: SteveC: "Re: Can't get rid of localstart.asp"
- Reply: SteveC: "Re: Can't get rid of localstart.asp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
