Educause Security Discussion mailing list archives
Re: IIS 6.0
From: Brent <Brent () RSMAS MIAMI EDU>
Date: Wed, 29 Sep 2004 22:38:02 -0400
I would run Microsoft Baseline Security Analyzer V1.2.1 , on the IIS server to report known vulnerabilities. It will list the possible threats and give you instruction on how to lock it down. Make sure you document your sets because it could possibly lock it down --too tight. http://www.microsoft.com/technet/security/tools/mbsahome.mspx Here is an exploit that I found Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method Microsoft Internet Information Server (IIS) servers support a HTTP method called TRACK. The HTTP TRACK method returns the contents of client HTTP requests in the entity-body of the TRACK response. This behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. read on http://www.kb.cert.org/vuls/id/288308 Andrew Atwell wrote:
Please Can anyone offer any information on vulnerabilities in IIS 6.0? Thanks, Andrew A ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- Brent Alexander University of Miami RSMAS computer facility (305)361-4963 Brent () rsmas miami edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- IIS 6.0 Andrew Atwell (Sep 29)
- <Possible follow-ups>
- Re: IIS 6.0 Brent (Sep 29)