Information Security News mailing list archives
Re: Microsoft IIS security hole persists despite available patch
From: InfoSec News <isn () C4I ORG>
Date: Wed, 5 Jul 2000 13:19:15 -0500
Forwarded by: Marc <marc () eeye com> I am guessing the exploit in question was IISHack which we released last year on June 15th. http://www.wired.com/news/technology/0,1282,20231,00.html "which allows anyone with a Web browser to gain admin-level access to a server" thats wrong as anyone, with half a technical brain, would know. | The hole enables an unauthorised visitor to determine what version of | NT is running, and to see or easily guess file and directory locations | with a mind towards further exploitation of the site. Some more technical inaccuracies. | On an e-commerce site with a shopping cart application running, | the flaw can make it easy to compromise consumers' account details. Add on some fear factor and you have your self an article to make your 1 article a week deadline. Pitiful reporting but yes there still are many sites vulnerable over a year later. Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.675.8160 F.949.675.8191 http://www.eEye.com | -----Original Message----- | From: ISN Mailing List [mailto:ISN () SECURITYFOCUS COM]On Behalf Of | InfoSec News | Sent: Wednesday, July 05, 2000 7:04 AM | To: ISN () SECURITYFOCUS COM | Subject: [ISN] Microsoft IIS security hole persists despite available | patch | | | http://www.theregister.co.uk/content/6/11782.html | | By: Thomas C Greene in Washington | Posted: 05/07/2000 at 17:06 GMT | | An old and subsequently well-publicised flaw in Microsoft Internet | Information Server (IIS), which allows anyone with a Web browser to | gain admin-level access to a server, continues to plague many sites in | spite of the availability patches to correct it. | | The flaw first became news just over a year ago with a flurry of | advisories posted on numerous news sites, and Microsoft did respond | and issue a patch. Wired, for example, ran their coverage on 15 June | of last year. | | However, as one of The Register's sharp-eyed readers has discovered | and brought to our attention, putting the word out and issuing a patch | hardly guarantees that anyone will bother to install it. | | The hole enables an unauthorised visitor to determine what version of | NT is running, and to see or easily guess file and directory locations | with a mind towards further exploitation of the site. On an e-commerce | site with a shopping cart application running, the flaw can make it | easy to compromise consumers' account details. | | Among the more high-profile sites reported to be running the product | in a still-unpatched version are Safeway, IKEA and Tower Records. | Undoubtedly many thousands of less-known sites are as well. The | Register has confirmed the hole in the instances mentioned above, but | for obvious reasons we're not describing the exploit in detail. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: Microsoft IIS security hole persists despite available patch InfoSec News (Jul 06)