Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Ten least secure programs

From: "Chris Berry" <compjma () hotmail com>
Date: Mon, 30 Jun 2003 17:42:55 -0700
From: "dave klimen" <dave () netmedic net>
Obviously a lack of experience would cause you to list IIS on this list.


Actually, I was thinking more of this:
2003-06-03: Microsoft IIS WebDAV PROPFIND and SEARCH Method Denial of Service Vulnerability 2003-05-30: Microsoft IIS SSINC.DLL Server Side Includes Buffer Overflow Vulnerability 
2003-05-28:  Microsoft IIS ASP Header Denial Of Service Vulnerability
2003-05-28: Microsoft IIS Redirection Error Page Cross-Site Scripting Vulnerability 
2003-05-28:  Microsoft Internet Information Service Multiple Vulnerabilities
2003-05-13:  Multiple Vendor Invalid X.509 Certificate Chain Vulnerability
2003-05-07:  Microsoft IIS WebDAV Denial Of Service Vulnerability
2003-05-03:  Microsoft IIS User Existence Disclosure Vulnerability
2003-02-10:  Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability
2003-02-07:  Microsoft IIS False Logging Weakness
2003-02-06: Microsoft IIS Malformed HTTP Get Request Denial Of Service Vulnerability 2002-11-05: Microsoft IIS Administrative Pages Cross Site Scripting Vulnerabilities 
2002-11-04:  Microsoft IIS Out Of Process Privilege Escalation Vulnerability
2002-10-31:  Microsoft IIS Script Source Access File Upload Vulnerability
2002-10-31:  Multiple Microsoft IIS Vulnerabilities
2002-10-07: Microsoft IIS Malformed HTTP HOST Header Field Denial Of Service Vulnerability 
2002-10-05:  Microsoft IIS IDC Extension Cross Site Scripting Vulnerability
2002-09-04: Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability 2002-07-12: Microsoft IIS SMTP Service Encapsulated SMTP Address Vulnerability 
2002-05-27:  Microsoft IIS 5.0 Denial Of Service Vulnerability
2002-05-07: Microsoft IIS Chunked Encoding Heap Overflow Variant Vulnerability 
2002-05-07:  Microsoft IIS HTTP Redirect Cross Site Scripting Vulnerability
2002-05-07: Microsoft IIS HTTP Error Page Cross Site Scripting Vulnerability 2002-05-07: Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability 2002-05-07: Microsoft IIS ISAPI Filter Access Violation Denial of Service Vulnerability 2002-05-07: Microsoft IIS ASP Server-Side Include Buffer Overflow Vulnerability 2002-05-07: Microsoft IIS HTTP Header Field Delimiter Buffer Overflow Vulnerability 
2002-05-07:  Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability
2002-04-19:  Microsoft MSDTC Service Denial of Service Vulnerability
2002-04-18: Microsoft IIS CodeBrws.ASP File Extension Check Out By One Vulnerability 
2002-04-18:  Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability
2002-04-16: Microsoft IIS Help File Search Cross Site Scripting Vulnerability 
2002-03-05:  Microsoft IIS Authentication Method Disclosure Vulnerability
2002-02-14: Microsoft IIS 5.1 Frontpage Extensions Path Disclosure Information Vulnerability 2002-02-12: Microsoft IIS 5.1 Frontpage Server Extensions File Source Disclosure Vulnerability 2002-01-16: Multiple Vendor Unprivileged User Permissions Log File Modification Vulnerability 
2001-12-11:  Microsoft IIS False Content-Length Field DoS Vulnerability
2001-09-18: MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability 2001-09-10: Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability 2001-08-16: Microsoft IIS WebDAV Invalid Request Denial of Service Vulnerability 
2001-08-16:  Microsoft IIS 4.0 URL Redirection DoS Vulnerability
2001-08-08: MS IIS Internal IP Address/Internal Network Name Disclosure Vulnerability 
2001-07-04:  Microsoft IIS Device File Remote DoS Vulnerability
2001-07-04:  Microsoft IIS Device File Local DoS Vulnerability
2001-06-22:  Microsoft IIS Unicode .asp Source Code Disclosure Vulnerability
2001-05-17:  IIS WebDav Lock Method Memory Leak DoS Vulnerability
2001-05-16:  Microsoft IIS FTP Denial of Service Vulnerability
2001-05-15:  Microsoft IIS WebDAV Denial of Service Vulnerability
2001-05-15:  Microsoft IIS Multiple Invalid URL Request DoS Vulnerability
2001-05-15:  Microsoft IIS Cross Site Scripting .shtml Vulnerability
2001-05-15:  Microsoft IIS Various Domain User Account Access Vulnerability
2001-05-07:  Microsoft IIS WebDAV 'Propfind' Server Restart Vulnerability
2001-05-07: Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability 
2001-03-19:  Microsoft IIS WebDAV 'Search' Denial of Service Vulnerability
2001-03-07: Microsoft Exchange 2000 / IIS 5.0 Multiple Invalid URL Request DoS Vulnerability 
2001-01-30:  Microsoft IIS File Fragment Disclosure Vulnerability
2000-12-22:  Microsoft IIS Front Page Server Extension DoS Vulnerability
2000-11-06:  Microsoft IIS 4.0 ISAPI Buffer Overflow Vulnerability
2000-11-06:  Microsoft IIS Executable File Parsing Vulnerability
2000-10-23: Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability 
2000-10-04:  Microsoft IIS 5.0 Indexed Directory Disclosure Vulnerability
2000-09-05: Microsoft NT 4.0 and IIS 4.0 Invalid URL Request DoS Vulnerability 2000-08-14: Microsoft IIS 5.0 "Translate: f" Source Disclosure Vulnerability 2000-08-10: Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability 
2000-07-17:  Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability
2000-07-14: Microsoft IIS 3.0 .htr Missing Variable Denial of Service Vulnerability 
2000-07-13:  Microsoft IIS Internal IP Address Disclosure Vulnerability
2000-05-11: Microsoft IIS 4.0/5.0 Malformed File Extension DoS Vulnerability 
2000-05-11:  Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability
2000-05-10:  Microsoft IIS 4.0/5.0 Malformed .htr Request Vulnerability
2000-05-06: Microsoft Frontpage Server Extensions Path Disclosure Vulnerability 
2000-04-12:  Microsoft IIS 4.0/5.0 Escaped Characters Vulnerability
2000-03-30:  Microsoft IIS UNC Mapped Virtual Host Vulnerability
2000-03-20: Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability 
2000-03-08:  Microsoft IIS UNC Path Disclosure Vulnerability
2000-02-15:  Microsoft IIS 4.0 Pickup Directory DoS Vulnerability
2000-02-09:  NT IIS ASP VBScript Runtime Error Viewable Source Vulnerability
2000-02-02:  NT IIS idq.dll Directory Traversal Vulnerability
1999-12-21:  Microsoft IIS Virtual Directory Naming Vulnerability
1999-12-21:  Microsoft IIS Escape Character Parsing Vulnerability
1999-12-02:  IIS / Site Server Multithread SSL Vulnerability
1999-09-23:  Microsoft IIS 4.0 Domain Resolution Vulnerability
1999-09-23:  Microsoft IIS FTP NO ACCESS Read/Delete File Vulnerability
1999-08-16:  Microsoft IIS And PWS 8.3 Directory Name Vulnerability
1999-08-11:  NT IIS Malformed HTTP Request Header DoS Vulnerability
1999-07-19:  NT IIS MDAC RDS Vulnerability
1999-07-07:  NT IIS SSL DoS Vulnerability
1999-07-06:  Sun Java HotSpot DoS Vulnerability
1999-06-24:  NT IIS Double Byte Code Page Vulnerability
1999-06-15:  NT IIS4 Buffer Overflow Vulnerability
1999-06-01:  NT IIS ASP Alternate Data Streams Vulnerability
1999-06-01:  NT IIS Showcode ASP Vulnerability
1999-06-01:  NT IIS4 Remote Web-Based Administration Vulnerability
1999-06-01: Microsoft VisualInterDev 6.0 - IIS4 - Mgmt with no authentication Vulnerability 
1999-06-01:  NT IIS4 Log Avoidance Vulnerability
1999-06-01:  NT IIS FTP DoS / Buffer Overflow Vulnerability
1999-06-01:  NT IIS4 DoS - ExAir Sample Site Vulnerability
1999-06-01: NT IIS IISAPI Extension Enumerate Root Web Server Directory Vulnerability 
1999-06-01:  NT IIS4 Shared ASP Cache Vulnerability
1999-06-01:  NT Using ASP And FSO To Read Server Files Vulnerability
1999-06-01:  Microsoft JET Database Engine VBA Vulnerability
1999-06-01:  NT IIS ISAPI GetExtensionVersion() Vulnerability
1999-06-01:  Multiple Vendor PKCS#1 Vulnerability
1999-06-01:  Microsoft IIS 3.0 "%2e" ASP Source Disclosure Vulnerability
1999-06-01:  Microsoft IIS 3.0 newdsn.exe File Creation Vulnerability
1999-06-01: Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability 1999-06-01: Microsoft IIS Appended Dot Script Source Disclosure Vulnerability 
1999-06-01:  Microsoft IIS 4.0 IISADMPWD Proxied Password Attack
1999-06-01:  Microsoft IIS '../..' Denial of Service Vulnerability
1999-06-01:  IIS 4.0 fpcount.exe Buffer Overflow Vulnerability
1999-06-01:  Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability
1999-06-01:  Microsoft IIS Long URL Denial of Service Vulnerability

But if you have an actual arguement I'd be happy to hear it.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Encrypt everything, and ask questions later."

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail 


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in 
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: