Penetration Testing mailing list archives

Re: iXsecurity.tool.briiis.3.02

From: Alex Butcher <alex () s3 integralis co uk>
Date: Fri, 15 Jun 2001 12:09:22 +0100

ian.vitek () ixsecurity com wrote:

iXsecurity Security Tool Release
briiis.pl v3.02
================

Tool Description
- - ------------
Briiis is a tool for testing web servers for "/" encoding
break out from web root vulnerability from an executable
directory.
E.g. IIS Unicode and double encoding vulnerabilities.


It's also worth remembering that Exchange uses IIS to provide Outlook
Web Access and that this (always?) makes the /exchange path a script
directory. It would appear that these hosts often get overlooked when
the patch monkey is instructed to hotfix "all our IIS servers" :)

Kudos to the author of the IIS unicode plugin in Nessus for pointing
this out to me. :)

Best Regards,
Alex.
-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

Current thread:

iXsecurity.tool.briiis.3.02 ian . vitek (Jun 13)
- Re: iXsecurity.tool.briiis.3.02 Nicolas Gregoire (Jun 13)
  - Re: iXsecurity.tool.briiis.3.02 H D Moore (Jun 13)
- <Possible follow-ups>
- RE: iXsecurity.tool.briiis.3.02 Colby Rice (Jun 13)
- Re: iXsecurity.tool.briiis.3.02 Sigtrap (Jun 13)
  - Re: iXsecurity.tool.briiis.3.02 Nicolas Gregoire (Jun 14)
- Re: iXsecurity.tool.briiis.3.02 Alex Butcher (Jun 15)