lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Microsoft win2003server phone home

"Mike Garegnani" writes:
> [snip]
> all that was posted was a guid, and not to mention it was a 404 so
> aside from your post showing up somewhere in a log it won't be used or
even
> seen for that matter. but it certainly can be a security issue.
> [snip]

Um, since when did 404's guarantee that data could not be seen?  Take the
following Classic ASP:

<% @Language="VBScript" %>
<%
guid = Request.Query("guid")
Response.AddHeader("Status: 404 Not Found")
Response.Buffer = True
' TODO: Mess with 'guid'
Response.Clear
%>

You get an IIS 404 error, even though the script most certainly *DID* exist.
URLScan works in the exact same way -- returning 404s to requests for valid
resources.  IMHO this makes identifying URLScan a piece of cake, but some of
its competitors are less subtle (e.g, SecureIIS).


Powered by blists - more mailing lists