Your friend is smart. You don't need to have a username/password to do many
of the buffer overflows, directory traversal, and URL encoding attacks
against an unpatched IIS server. You didn't say but if the IIS server is
not protected by a firewall to only allow port 80 connections, then your
Windows servers would be toast by many other nasties.
Ron Ogle
Rennes, France
> -----Original Message-----
> From: anyluser [mailto:anyluser (at) yahoo (dot) com [email concealed]]
> Sent: Tuesday, December 10, 2002 10:53 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: IIS 4 Security
>
>
> A friend and I are having a (friendly) debate and I
> was wondering the SecBasics crowd thought.
>
> The Hypothetical Situation: A publicly available yet
> password protected web site is hosted using IIS 4 w/o
> SSL. It is completly unpatched and yet there are no
> sites or pages that can be accessed w/o a valid
> username and password. IOW, no anon access, ever.
>
> My Premise: It is reasonably secure right up until a
> brute force attack or eaves dropping yields a valid
> username/pass. If there are no URLs that don't
> require username and pass then a malformed URL will be
> challened just as thoroughly, relegating exposure.
>
> His Argument: It can still be hacked b/c the username
> and password can be bypassed even w/o a directed
> effort towards discovering valid auth info (brute
> force). Note: He thinks it's possible but in
> practice doesnt know how to do it or if it can indeed
> be done.
>
> The only thing I could imagine happening is that
> someone telnets into port 80 and passes a URL in that
> way, but I didnt tell him that :) Since I dont know
> how to do that yet (I'm about to google it) I can't
> test it.
>
> So what do yall think? How secure is a pw protected
> site from attack w/o a valid username and password?
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
of the buffer overflows, directory traversal, and URL encoding attacks
against an unpatched IIS server. You didn't say but if the IIS server is
not protected by a firewall to only allow port 80 connections, then your
Windows servers would be toast by many other nasties.
Ron Ogle
Rennes, France
> -----Original Message-----
> From: anyluser [mailto:anyluser (at) yahoo (dot) com [email concealed]]
> Sent: Tuesday, December 10, 2002 10:53 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: IIS 4 Security
>
>
> A friend and I are having a (friendly) debate and I
> was wondering the SecBasics crowd thought.
>
> The Hypothetical Situation: A publicly available yet
> password protected web site is hosted using IIS 4 w/o
> SSL. It is completly unpatched and yet there are no
> sites or pages that can be accessed w/o a valid
> username and password. IOW, no anon access, ever.
>
> My Premise: It is reasonably secure right up until a
> brute force attack or eaves dropping yields a valid
> username/pass. If there are no URLs that don't
> require username and pass then a malformed URL will be
> challened just as thoroughly, relegating exposure.
>
> His Argument: It can still be hacked b/c the username
> and password can be bypassed even w/o a directed
> effort towards discovering valid auth info (brute
> force). Note: He thinks it's possible but in
> practice doesnt know how to do it or if it can indeed
> be done.
>
> The only thing I could imagine happening is that
> someone telnets into port 80 and passes a URL in that
> way, but I didnt tell him that :) Since I dont know
> how to do that yet (I'm about to google it) I can't
> test it.
>
> So what do yall think? How secure is a pw protected
> site from attack w/o a valid username and password?
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
[ reply ]