strange urlscan behaviour

[Marco van Berkum <m.v.berkum () obit nl>]

Hi,

while pentesting a remote customer I came across this issue:

$ telnet somehost 80
Trying xxx.xxx.xxx.xxx...
Connected to somehost.
Escape character is '^]'.
SEARCH / HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Cache-Control: no-cache,no-transform
Expires: Tue, 18 Mar 2003 10:49:32 GMT
Content-Location:
http://xxx.xxx.xxx.xxx/intro.htm?404;http://xxx.xxx.xxx.xxx/<Rejected-By-UrlScan>?~/
Vary: *
Date: Tue, 18 Mar 2003 10:49:32 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 302

<HTML>
bladiebla text text
</HTML>
Connection closed by foreign host.
$

This site is using lockdown but what suprised me a bit is  that its nicely
telling me that its using urlscan in the Content-Location header.
It  exposes this information by using the SEARCH, TRACE,  PROPFIND
and PROPPATCH option,  any other requests do not expose 'interesting'
information in the Content-Location header.

according to the OPTIONS request these options are allowed:

Public: OPTIONS, TRACE, GET, HEAD, POST
Allow: OPTIONS, TRACE, GET, HEAD

I was not able to  produce this on other machines.
Any hints on what might be causing this ?

Cheers,
Marco van Berkum


--
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum () obit nl / http://ws.obit.nl |
 ----------------------------------------




----------------------------------------------------------------------------
Did you know that you have VNC running on your network? 
Your hacker does. Plug your security holes now! 
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html