lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2005825121517.090939@burns>
Date: Thu, 25 Aug 2005 12:15:17 -0600
From: Mark Burnett <mb@...o.net>
To: <bugtraq@...urityfocus.com>
Subject: CORRECTION: Remote IIS 5.x and IIS 6.0 Server Name Spoof


I just wanted to clarify some issues here. First of all, this is by no means a new discovery. Others have mentioned it and I even used it as an example in my book "Hacking the Code". It is not a flaw in the handling of the server variable, but a bug in the 500-100.asp script. It is also important to note that this issue does not affect IIS 6 as Inge claims. 

The original code in IIS 5 used the SERVER_NAME variable to see if the user was local with this code:

		If (strServername = "localhost" or strServerIP = strRemoteIP)  And .....

In IIS 6 they updated the code to this:

		If (strServerIP = strRemoteIP) And...

A quick fix for this is to pull the 500-100.asp script from IIS 6 and use it for IIS 5. A better fix is to simply replace that error with a static html page.

So if you maintain a vulnerability database, write vulnerability scanners, assign vulnerability ID numbers, or if you somehow document this, you should correct this so we all don't have to explain this every time in the next 10 years that someone runs vulnerability scanner on IIS 6 and this shows up in the report.

Incidently, you do not need to use telnet to manually enter the URL to exploit this. An easier solution is to change your HOSTS file so that localhost points to the remote IP address of the target IIS server. Then you can use your browser to hammer away at it.


Mark Burnett






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ