Penetration Testing mailing list archives
RE: assessing IIS 5.0
From: "Butler, Theodore" <Theodore.Butler () EssexCorp com>
Date: Tue, 5 Sep 2006 17:00:03 -0400
Vijay, I thought you were doing a risk evaluation, not simply identifying vulnerabilities. There is a difference. The methodology is the same rather its payment cards, networks, or widgets: Threats, value and vulnerabilities (and motivation of perpetrator) need to be accounted for where possible to identify risk. It's assumed as a given that all this is mapped against policy and requirements as a backdrop to give you a reference. These items should be gathered during the information gathering aspect of the assessment. I agree it's presumptuous to assign risk without it being clearly defined; however the argument here is that industry has already defined it to be composed of the elements I've listed above. Therefore assigning risk without attempting to account for environmental elements is incomplete. That's the difference between doing vulnerability scans and assessing risk. Risks accounts for the whole enchilada. This is what makes the world so beautiful, free speech and differences of view. Here's some specific information on the Internal IP address disclosure vulnerability in IIS 4.0 and 5.0. http://archive.cert.uni-stuttgart.de/archive/bugtraq/2001/08/msg00127.ht ml Peace, Ted -----Original Message----- From: Robert E. Lee [mailto:robert () outpost24 com] Sent: Tuesday, September 05, 2006 2:43 PM To: Butler, Theodore Cc: vijay.shetti () gmail com; pen-test () securityfocus com Subject: Re: assessing IIS 5.0 On Tue, 5 Sep 2006 12:01:14 -0400 "Butler, Theodore" <Theodore.Butler () EssexCorp com> wrote:
The risk will be determined by the threat, and value of the associated asset (web server and its content) coupled with its vulnerability.
Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value to replace). The vulnerability is only one part and only you know the other 2 aspects.
Vijay, Unfortunately, that calculation isn't possible for a third party to calculate and use in a vulnerability report. In reports, you will have an easier time if you just clearly state the category of the problem and the consequence of the problem. In this case, IIS revealing the internal IP address is a "systems configuration information disclosure, affecting Confidentiality". Without understanding the security policy of the system being evaluated (IE, not provided, doesn't exist, etc), trying to assign a risk value/rating is presumptuous and baseless if not clearly defined in your report. If they don't give you a policy, then you should define your terms in your report so the reader can understand your logic behind assigning the value. For example, if you were evaluating the system for PCI/SDP, they place a level 5 (Urgent) value to vulnerabilities affecting CIA system wide, level 4 (Critical) value to vulnerabilities affecting C system wide, or if sensitive content is being leaked (without defining sensitive), level 3 (Critical) value to vulnerabilities partial C of files or of security configuration information, availability issues, and other misc policy violations (such as being able to relay mail), level 2 (Medium) C related to non-security systems configuration information (IP addresses, server version information, etc), and level 1 (Low) to C related to open ports. -- If the system audited is held to PCI/SDP policy standards this finding could be a Level 2 (Medium) finding. Best of luck, Robert -- Robert E. Lee Chief Security Officer http://www.outpost24.com phone: +46-(0)455-612-320 fax : +46-(0)455-13960 email: robert () outpost24 com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- assessing IIS 5.0 vijay shetti (Sep 05)
- Re: assessing IIS 5.0 Joey Peloquin (Sep 05)
- <Possible follow-ups>
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
- Re: assessing IIS 5.0 Robert E. Lee (Sep 05)
- Re: assessing IIS 5.0 pratiksha . doshi (Sep 05)
- RE: assessing IIS 5.0 Butler, Theodore (Sep 05)
- RE: assessing IIS 5.0 Shenk, Jerry A (Sep 05)