Penetration Testing mailing list archives
RE: assessing IIS 5.0
From: "Butler, Theodore" <Theodore.Butler () EssexCorp com>
Date: Tue, 5 Sep 2006 12:01:14 -0400
Vijay, The risk will be determined by the threat, and value of the associated asset (web server and its content) coupled with its vulnerability. Risk = Threat x Vulnerability (likelihood of threat's success) x Cost(Value to replace). The vulnerability is only one part and only you know the other 2 aspects. You need to answer some questions like: Is the web server in a DMZ, Honeypot, secured portion of the network? These items help determine the threat level. Vulnerability is heavily determined by degree of exposure and its frequency (Is this always the case?) Cost is influenced by impact. If the web server is compromised will business shut down or simply inconvenience everyone. How sensitive is the data (salaries, trade secrets, or simply inventory. My suggestion is to gather all these elements to compute the risk and of course test to validate your findings. Ted B, CISSP -----Original Message----- From: vijay shetti [mailto:vijay.shetti () gmail com] Sent: Monday, September 04, 2006 3:59 AM To: pen-test () securityfocus com Subject: assessing IIS 5.0 Hello all!! During web assessment of one our clients I came to know that IIS 5.0 has internal IP address disclosure vuln... But what to do next?What rank should i give it ,is it a medium risk or low risk. regards, Vijay ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- assessing IIS 5.0 vijay shetti (Sep 05)
- Re: assessing IIS 5.0 Joey Peloquin (Sep 05)
- <Possible follow-ups>
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
- Re: assessing IIS 5.0 Robert E. Lee (Sep 05)
- Re: assessing IIS 5.0 pratiksha . doshi (Sep 05)
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
- RE: assessing IIS 5.0 Shenk, Jerry A (Sep 05)