Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS 6.0

From: Brent <Brent () RSMAS MIAMI EDU>
Date: Wed, 29 Sep 2004 22:38:02 -0400
I would run Microsoft Baseline Security Analyzer V1.2.1 , on the IIS
server to report known vulnerabilities. It will list the possible
threats and give you instruction on how to lock it down.
Make sure you document your sets because it could possibly lock it down
--too tight.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx


Here is an exploit that I found


Microsoft Internet Information Server (IIS) vulnerable to cross-site
scripting via HTTP TRACK method
Microsoft Internet Information Server (IIS) servers support a HTTP
method called TRACK. The HTTP TRACK method returns the contents of
client HTTP requests in the entity-body of the TRACK response. This
behavior could be leveraged by attackers to access sensitive
information, such as cookies or authentication data, contained in the
HTTP headers of the request.
read on
http://www.kb.cert.org/vuls/id/288308




Andrew Atwell wrote:


Please

Can anyone offer any information on vulnerabilities in IIS 6.0?

Thanks,
Andrew A

********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.



--
Brent Alexander
University of Miami
RSMAS computer facility
(305)361-4963
Brent () rsmas miami edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: