Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CORRECTION: Remote IIS 5.x and IIS 6.0 Server Name Spoof

from [Mark Burnett] Network Security [Permanent Link]
Subject: CORRECTION: Remote IIS 5.x and IIS 6.0 Server Name Spoof
Date: Thu, 25 Aug 2005 12:15:17 -0600 
I just wanted to clarify some issues here. First of all, this is by no means a 
new discovery. Others have mentioned it and I even used it as an example in my 
book "Hacking the Code". It is not a flaw in the handling of the server 
variable, but a bug in the 500-100.asp script. It is also important to note 
that this issue does not affect IIS 6 as Inge claims. 

The original code in IIS 5 used the SERVER_NAME variable to see if the user was 
local with this code:

                If (strServername = "localhost" or strServerIP = strRemoteIP)  
And .....

In IIS 6 they updated the code to this:

                If (strServerIP = strRemoteIP) And...

A quick fix for this is to pull the 500-100.asp script from IIS 6 and use it 
for IIS 5. A better fix is to simply replace that error with a static html page.

So if you maintain a vulnerability database, write vulnerability scanners, 
assign vulnerability ID numbers, or if you somehow document this, you should 
correct this so we all don't have to explain this every time in the next 10 
years that someone runs vulnerability scanner on IIS 6 and this shows up in the 
report.

Incidently, you do not need to use telnet to manually enter the URL to exploit 
this. An easier solution is to change your HOSTS file so that localhost points 
to the remote IP address of the target IIS server. Then you can use your 
browser to hammer away at it.


Mark Burnett
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CORRECTION: Remote IIS 5.x and IIS 6.0 Server Name Spoof, Mark Burnett <=
Previous by Date:  Astaro Security Linux 6.0 - HTTP CONNECT Access Localhost Weakness, oliver karow
Next by Date:  [Full-disclosure] Re: MS05_039 Exploitation (different languages), Fabrice MOURRON
Previous by Thread:  Astaro Security Linux 6.0 - HTTP CONNECT Access Localhost Weakness, oliver karow
Next by Thread:  [Full-disclosure] Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities, Scott Dewey
Indexes:  [Date] [Thread] [Top] [All Lists]