Penetration Testing mailing list archives
RE: IIS 3.0 pen-test
From: jerickson () telenisus com
Date: Thu, 5 Jul 2001 14:18:24 -0500
Well besides the rest of the vulnerabilites with MS IIS 3.0, I tested the servers for Unicode and it seemed they were vulnerable. ( I check using a perl script that I found on Packetstorm) it discovered that the servers
were
vulnerable to various forms of the unicode vulnerability.
The perl script you have checks for the word directory in the response from the server So when your getting back the error:
saying "HTTP/1.0 403 Access Forbidden (Execute Access Denied -This Virtual Directory does not allow objects to be executed.)"
your perl script thinks its vulnerable. This is a piece of code taken from a perl script that check for unicode. (taken from unicodeloader.pl) my @results=sendraw("GET $uni+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) { # THIS LINE IS GENERATING YOUR FALSE POSITIVE. Jon Erickson -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- IIS 3.0 pen-test Alex Balayan (Jul 05)
- <Possible follow-ups>
- RE: IIS 3.0 pen-test jerickson (Jul 05)
- Re: IIS 3.0 pen-test Parth Galen (Jul 05)