Re: Web server default page

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 11/07/2009, at 8:59 AM, Valdis Kletnieks wrote:

> On Fri, 10 Jul 2009 15:23:46 EDT, "Cheek, Leigh" said:
>
> > Do you see any big vulnerabilities with the IIS default page?
>
> Well, for *starters*, it says "Somebody's asleep at the wheel here,
> and has IIS
> installed and running but no actual site."

not necessarily.  I know of sites where everything is put one dir
level down and the default index.html has just been left.

> Even if the IIS default page *itself* doesn't have holes, I'd not be
> surprised
> if it attracts *other* attacks:
>
> 1) Hmm.. Maybe the IIS got installed a long time ago by accident,
> and isn't
> patched. Let's toss some 2-year-old exploits at it and see what
> sticks..
>
> 2) If they're asleep on the IIS issue, I wonder what *else* is
> sitting there.
> Time to nmap the server, and maybe a few IP addrs up and down from
> it, and see
> what's open.  Maybe they left C:\ mapped to the world or something...
>
> Bottom line - the biggest problem is probably not the page, but the
> message
> it sends about the site's security stance...

Agreed.  From an auditing standpoint it is an indication that
something *may* be wrong.  Back in the days when windoze shipped with
all the light on I used to do regular scans looking for default pages
and many people were astounded to find out they had a web site on
their desk.

Russell

>