Educause Security Discussion mailing list archives
Re: Web server default page
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 10 Jul 2009 16:59:18 -0400
On Fri, 10 Jul 2009 15:23:46 EDT, "Cheek, Leigh" said:
Do you see any big vulnerabilities with the IIS default page?
Well, for *starters*, it says "Somebody's asleep at the wheel here, and has IIS installed and running but no actual site." Even if the IIS default page *itself* doesn't have holes, I'd not be surprised if it attracts *other* attacks: 1) Hmm.. Maybe the IIS got installed a long time ago by accident, and isn't patched. Let's toss some 2-year-old exploits at it and see what sticks.. 2) If they're asleep on the IIS issue, I wonder what *else* is sitting there. Time to nmap the server, and maybe a few IP addrs up and down from it, and see what's open. Maybe they left C:\ mapped to the world or something... Bottom line - the biggest problem is probably not the page, but the message it sends about the site's security stance...
Attachment:
_bin
Description:
Current thread:
- Web server default page Cheek, Leigh (Jul 10)
- <Possible follow-ups>
- Re: Web server default page Valdis Kletnieks (Jul 10)
- Re: Web server default page Russell Fulton (Jul 14)