Bugtraq mailing list archives
RE: Creating a secret web site on IIS 5.x using Alternative Data Streams
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Tue, 9 Aug 2005 11:12:17 -0400
Mitigation at the IIS server looks pretty straightforward. URLScan in default configuration prevents access to ADS files, generating the following log line: Client at 10.1.1.100: URL contains sequence ':', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/myremoteserver/help.gif:secret' So you should see accesses in the IIS logs if you don't run URLScan, and failed attempts in the URLScan logs if you do run it.
Current thread:
- Creating a secret web site on IIS 5.x using Alternative Data Streams inge_eivind . henriksen (Aug 09)
- RE: Creating a secret web site on IIS 5.x using Alternative Data Streams James C Slora Jr (Aug 09)