Bugtraq mailing list archives

RE: Creating a secret web site on IIS 5.x using Alternative Data Streams

From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Tue, 9 Aug 2005 11:12:17 -0400

Mitigation at the IIS server looks pretty straightforward.

URLScan in default configuration prevents access to ADS files, generating
the following log line:

Client at 10.1.1.100: URL contains sequence ':', which is disallowed.
Request will be rejected.  Site Instance='1', Raw
URL='/myremoteserver/help.gif:secret'

So you should see accesses in the IIS logs if you don't run URLScan, and
failed attempts in the URLScan logs if you do run it.

Current thread:

Creating a secret web site on IIS 5.x using Alternative Data Streams inge_eivind . henriksen (Aug 09)
- RE: Creating a secret web site on IIS 5.x using Alternative Data Streams James C Slora Jr (Aug 09)