Full Disclosure mailing list archives

Re: Microsoft win2003server phone home

From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Mon, 4 Aug 2003 12:29:23 -0500

"Mike Garegnani" writes:

[snip]
all that was posted was a guid, and not to mention it was a 404 so
aside from your post showing up somewhere in a log it won't be used or

even

seen for that matter. but it certainly can be a security issue.
[snip]


Um, since when did 404's guarantee that data could not be seen?  Take the
following Classic ASP:

<% @Language="VBScript" %>
<%
guid = Request.Query("guid")
Response.AddHeader("Status: 404 Not Found")
Response.Buffer = True
' TODO: Mess with 'guid'
Response.Clear
%>

You get an IIS 404 error, even though the script most certainly *DID* exist.
URLScan works in the exact same way -- returning 404s to requests for valid
resources.  IMHO this makes identifying URLScan a piece of cake, but some of
its competitors are less subtle (e.g, SecureIIS).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
  - Re: Microsoft win2003server phone home manohar singh (Aug 04)
    - Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
  - Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
    - Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
  - Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
    - RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
    - Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)