Bugtraq mailing list archives

Re: IIS still revealing paths for web directories

From: kevinm () WINCOM NET (Kevin Matthew)
Date: Wed, 19 Jan 2000 13:59:01 -0500


Hello,

        There's another glitch when you have a password protected
webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida
When the root folder on that website is password protected you do not get
asked to authenticate but you just recieve the error like other
postings.  Ditto with guessing content of that folder the server would not
ask for the auth but just report a missing .ida file with full path of the
local file.

        IIS should ask for the password before giving out anything else.

Kevin Matthew <kevinm () wincom net>
Windsor Information Network Company Limited (WINCOM)
4325 County Road 42, Unit 10
Windsor, Ontario N8A 6J3
____________________________________________________
Phone: 519.972.1007  Fax: 519.972.7009

On Tue, 18 Jan 2000, Brock Tellier wrote:

BTW, different error messages are given depending on whether or not the path
up to the idq file exists.  In my brief testing:

http://www.example.com/exists/bah.ida
yields
The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found.


http://www.example.com/doesntexist/bah.ida
yields
File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find the path
specified.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

Frank Knobbe at Home <FKnobbe () HOME COM> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Original Message-----
From: Chris Tobkin [mailto:tobkin () SOFTWARE UMN EDU]
Sent: Wednesday, January 12, 2000 2:08 PM

The same problem still exists on IIS4 (tested with SP5 -

didn't try on

SP6).


Still exists as far back as IIS3 also. (SP6a)


Can't reproduce the problem with IIS3 and SP6.

BTW: I'm running IIS3 on several servers without problems. I did not
want to upgrade to IIS4 due to the complexity of its internal
processes (and all those exploits that followed). My main complaint
is still that I do not want to run IIS under the system account as
IIS4 requires.

Anyway, a time will come when we need to upgrade to W2K and IIS5.
Does anyone have a comparison or analysis of IIS5 in respect to
security (data channels, posting acceptors, etc)?

Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z
/+V1C97k2f+QTjNw9YGgmA90
=qq7D
-----END PGP SIGNATURE-----



____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Current thread:

Re: IIS still revealing paths for web directories Jonah Kowall (Jan 12)
- <Possible follow-ups>
- SV: IIS still revealing paths for web directories Kristoffer Ustad (Jan 13)
- Re: IIS still revealing paths for web directories Eric.Stevens () AVENTIS COM (Jan 13)
  - Re: IIS still revealing paths for web directories Vanja Hrustic (Jan 15)
- Re: IIS still revealing paths for web directories Rob Systhine (Jan 14)
- Re: IIS still revealing paths for web directories Frank Knobbe at Home (Jan 15)
  - Re: IIS still revealing paths for web directories Niklas Schiffler (Jan 18)
- IIS still revealing paths for web directories Michael Howard (Jan 17)
- Re: IIS still revealing paths for web directories Brock Tellier (Jan 18)
  - Re: IIS still revealing paths for web directories Kevin Matthew (Jan 19)
- Re: IIS still revealing paths for web directories Michael Howard (Jan 20)