Re: IIS still revealing paths for web directories

[mikehow () MICROSOFT COM (Michael Howard)]

what auth schemes are you using? if you've already used basic auth and
the .ida stuff is in the same realm as the previous basic auth realm
then you won't get prompted until you either (a) switch realms or (b)
use another auth scheme.

Cheers, Michael Howard
Windows 2000 Security
Got an 'Access Denied' problem? Check the appropriate logs first!

-----Original Message-----
From: Kevin Matthew [mailto:kevinm () WINCOM NET]
Sent: Wednesday, January 19, 2000 10:59 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: IIS still revealing paths for web directories

Hello,

        There's another glitch when you have a password protected
webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida
When the root folder on that website is password protected you do not
get
asked to authenticate but you just recieve the error like other
postings.  Ditto with guessing content of that folder the server would
not
ask for the auth but just report a missing .ida file with full path of
the
local file.

        IIS should ask for the password before giving out anything else.

Kevin Matthew <kevinm () wincom net>
Windsor Information Network Company Limited (WINCOM)
4325 County Road 42, Unit 10
Windsor, Ontario N8A 6J3
____________________________________________________
Phone: 519.972.1007  Fax: 519.972.7009

On Tue, 18 Jan 2000, Brock Tellier wrote:

> BTW, different error messages are given depending on whether or not
the path
> up to the idq file exists.  In my brief testing:
>
> http://www.example.com/exists/bah.ida
> yields
> The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found.
>
>
> http://www.example.com/doesntexist/bah.ida
> yields
> File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find
the path
> specified.
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier () usa net
>
> Frank Knobbe at Home <FKnobbe () HOME COM> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > -----Original Message-----
> > > From: Chris Tobkin [mailto:tobkin () SOFTWARE UMN EDU]
> > > Sent: Wednesday, January 12, 2000 2:08 PM
> > >
> > > > The same problem still exists on IIS4 (tested with SP5 -
> > > didn't try on
> > > > SP6).
> > >
> > > Still exists as far back as IIS3 also. (SP6a)
> >
> > Can't reproduce the problem with IIS3 and SP6.
> >
> > BTW: I'm running IIS3 on several servers without problems. I did not
> > want to upgrade to IIS4 due to the complexity of its internal
> > processes (and all those exploits that followed). My main complaint
> > is still that I do not want to run IIS under the system account as
> > IIS4 requires.
> >
> > Anyway, a time will come when we need to upgrade to W2K and IIS5.
> > Does anyone have a comparison or analysis of IIS5 in respect to
> > security (data channels, posting acceptors, etc)?
> >
> > Regards,
> > Frank
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Personal Privacy 6.5.1
> > Comment: PGP or S/MIME (X.509) encrypted email preferred.
> >
> > iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z
> > /+V1C97k2f+QTjNw9YGgmA90
> > =qq7D
> > -----END PGP SIGNATURE-----
>
>
> ____________________________________________________________________
> Get free email and a permanent address at
http://www.netaddress.com/?N=1
>

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>