Educause Security Discussion mailing list archives
Re: Web server default page
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 15 Jul 2009 15:06:19 +1200
On 11/07/2009, at 8:59 AM, Valdis Kletnieks wrote:
On Fri, 10 Jul 2009 15:23:46 EDT, "Cheek, Leigh" said:Do you see any big vulnerabilities with the IIS default page?Well, for *starters*, it says "Somebody's asleep at the wheel here, and has IIS installed and running but no actual site."
not necessarily. I know of sites where everything is put one dir level down and the default index.html has just been left.
Even if the IIS default page *itself* doesn't have holes, I'd not be surprised if it attracts *other* attacks: 1) Hmm.. Maybe the IIS got installed a long time ago by accident, and isn't patched. Let's toss some 2-year-old exploits at it and see what sticks.. 2) If they're asleep on the IIS issue, I wonder what *else* is sitting there. Time to nmap the server, and maybe a few IP addrs up and down from it, and see what's open. Maybe they left C:\ mapped to the world or something... Bottom line - the biggest problem is probably not the page, but the message it sends about the site's security stance...
Agreed. From an auditing standpoint it is an indication that something *may* be wrong. Back in the days when windoze shipped with all the light on I used to do regular scans looking for default pages and many people were astounded to find out they had a web site on their desk. Russell
Current thread:
- Web server default page Cheek, Leigh (Jul 10)
- <Possible follow-ups>
- Re: Web server default page Valdis Kletnieks (Jul 10)
- Re: Web server default page Russell Fulton (Jul 14)