Re: Web server default page

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 10 Jul 2009 15:23:46 EDT, "Cheek, Leigh" said:

> Do you see any big vulnerabilities with the IIS default page?

Well, for *starters*, it says "Somebody's asleep at the wheel here, and has IIS
installed and running but no actual site."

Even if the IIS default page *itself* doesn't have holes, I'd not be surprised
if it attracts *other* attacks:

1) Hmm.. Maybe the IIS got installed a long time ago by accident, and isn't
patched. Let's toss some 2-year-old exploits at it and see what sticks..

2) If they're asleep on the IIS issue, I wonder what *else* is sitting there.
Time to nmap the server, and maybe a few IP addrs up and down from it, and see
what's open.  Maybe they left C:\ mapped to the world or something...

Bottom line - the biggest problem is probably not the page, but the message
it sends about the site's security stance...

Attachment: _bin
Description: