Penetration Testing mailing list archives

Re: assessing IIS 5.0

From: "Robert E. Lee" <robert () outpost24 com>
Date: Tue, 5 Sep 2006 20:42:30 +0200

On Tue, 5 Sep 2006 12:01:14 -0400
"Butler, Theodore" <Theodore.Butler () EssexCorp com> wrote:

The risk will be determined by the threat, and value of the associated
asset (web server and its content) coupled with its vulnerability. Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value
to replace). The vulnerability is only one part and only you know the
other 2 aspects.


Vijay,

Unfortunately, that calculation isn't possible for a third party to calculate and use in a vulnerability report. In 
reports, you will have an easier time if you just clearly state the category of the problem and the consequence of the 
problem.  In this case, IIS revealing the internal IP address is a "systems configuration information disclosure, 
affecting Confidentiality".

Without understanding the security policy of the system being evaluated (IE, not provided, doesn't exist, etc), trying 
to assign a risk value/rating is presumptuous and baseless if not clearly defined in your report.  If they don't give 
you a policy, then you should define your terms in your report so the reader can understand your logic behind assigning 
the value.

For example, if you were evaluating the system for PCI/SDP, they place a level 5 (Urgent) value to vulnerabilities 
affecting CIA system wide, level 4 (Critical) value to vulnerabilities affecting C system wide, or if sensitive content 
is being leaked (without defining sensitive), level 3 (Critical) value to vulnerabilities partial C of files or of 
security configuration information, availability issues, and other misc policy violations (such as being able to relay 
mail), level 2 (Medium) C related to non-security systems configuration information (IP addresses, server version 
information, etc), and level 1 (Low) to C related to open ports. -- 

If the system audited is held to PCI/SDP policy standards this finding could be a Level 2 (Medium) finding.

Best of luck,

Robert

-- 
Robert E. Lee
Chief Security Officer
http://www.outpost24.com
 
phone: +46-(0)455-612-320
fax  : +46-(0)455-13960
email: robert () outpost24 com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

assessing IIS 5.0 vijay shetti (Sep 05)
- Re: assessing IIS 5.0 Joey Peloquin (Sep 05)
- <Possible follow-ups>
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
  - Re: assessing IIS 5.0 Robert E. Lee (Sep 05)
- Re: assessing IIS 5.0 pratiksha . doshi (Sep 05)
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
- RE: assessing IIS 5.0 Shenk, Jerry A (Sep 05)