Bugtraq mailing list archives
Re: IIS still revealing paths for web directories
From: mikehow () MICROSOFT COM (Michael Howard)
Date: Thu, 20 Jan 2000 13:28:46 -0800
what auth schemes are you using? if you've already used basic auth and the .ida stuff is in the same realm as the previous basic auth realm then you won't get prompted until you either (a) switch realms or (b) use another auth scheme. Cheers, Michael Howard Windows 2000 Security Got an 'Access Denied' problem? Check the appropriate logs first! -----Original Message----- From: Kevin Matthew [mailto:kevinm () WINCOM NET] Sent: Wednesday, January 19, 2000 10:59 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: IIS still revealing paths for web directories Hello, There's another glitch when you have a password protected webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida When the root folder on that website is password protected you do not get asked to authenticate but you just recieve the error like other postings. Ditto with guessing content of that folder the server would not ask for the auth but just report a missing .ida file with full path of the local file. IIS should ask for the password before giving out anything else. Kevin Matthew <kevinm () wincom net> Windsor Information Network Company Limited (WINCOM) 4325 County Road 42, Unit 10 Windsor, Ontario N8A 6J3 ____________________________________________________ Phone: 519.972.1007 Fax: 519.972.7009 On Tue, 18 Jan 2000, Brock Tellier wrote:
BTW, different error messages are given depending on whether or not
the path
up to the idq file exists. In my brief testing: http://www.example.com/exists/bah.ida yields The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found. http://www.example.com/doesntexist/bah.ida yields File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find
the path
specified. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net Frank Knobbe at Home <FKnobbe () HOME COM> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1-----Original Message----- From: Chris Tobkin [mailto:tobkin () SOFTWARE UMN EDU] Sent: Wednesday, January 12, 2000 2:08 PMThe same problem still exists on IIS4 (tested with SP5 -didn't try onSP6).Still exists as far back as IIS3 also. (SP6a)Can't reproduce the problem with IIS3 and SP6. BTW: I'm running IIS3 on several servers without problems. I did not want to upgrade to IIS4 due to the complexity of its internal processes (and all those exploits that followed). My main complaint is still that I do not want to run IIS under the system account as IIS4 requires. Anyway, a time will come when we need to upgrade to W2K and IIS5. Does anyone have a comparison or analysis of IIS5 in respect to security (data channels, posting acceptors, etc)? Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z /+V1C97k2f+QTjNw9YGgmA90 =qq7D -----END PGP SIGNATURE-----____________________________________________________________________ Get free email and a permanent address at
http://www.netaddress.com/?N=1
<HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- Re: IIS still revealing paths for web directories Jonah Kowall (Jan 12)
- <Possible follow-ups>
- SV: IIS still revealing paths for web directories Kristoffer Ustad (Jan 13)
- Re: IIS still revealing paths for web directories Eric.Stevens () AVENTIS COM (Jan 13)
- Re: IIS still revealing paths for web directories Vanja Hrustic (Jan 15)
- Re: IIS still revealing paths for web directories Rob Systhine (Jan 14)
- Re: IIS still revealing paths for web directories Frank Knobbe at Home (Jan 15)
- Re: IIS still revealing paths for web directories Niklas Schiffler (Jan 18)
- IIS still revealing paths for web directories Michael Howard (Jan 17)
- Re: IIS still revealing paths for web directories Brock Tellier (Jan 18)
- Re: IIS still revealing paths for web directories Kevin Matthew (Jan 19)
- Re: IIS still revealing paths for web directories Michael Howard (Jan 20)