Full Disclosure mailing list archives
Re: Microsoft win2003server phone home
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Mon, 4 Aug 2003 12:29:23 -0500
"Mike Garegnani" writes:
[snip] all that was posted was a guid, and not to mention it was a 404 so aside from your post showing up somewhere in a log it won't be used or
even
seen for that matter. but it certainly can be a security issue. [snip]
Um, since when did 404's guarantee that data could not be seen? Take the following Classic ASP: <% @Language="VBScript" %> <% guid = Request.Query("guid") Response.AddHeader("Status: 404 Not Found") Response.Buffer = True ' TODO: Mess with 'guid' Response.Clear %> You get an IIS 404 error, even though the script most certainly *DID* exist. URLScan works in the exact same way -- returning 404s to requests for valid resources. IMHO this makes identifying URLScan a piece of cake, but some of its competitors are less subtle (e.g, SecureIIS). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
- Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)