IIS 5.0 Vulnerability
Results 1 to 7 of 7

Thread: IIS 5.0 Vulnerability

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    IIS 5.0 Vulnerability

    Hey, does anyone out there use Apache Web Server for Windows? Just curious if it's any better than IIS with the vulnerabilities and performance and such. I have quoted the entire bugtraq notification I received via email. This should be enough incentive to patch your installation. Maybe IIS 6.0 will be a little better; then again, that's what they say about every release.


    SYSTEMS AFFECTED ========



    IIS 5.0 / Windows 2000

    SP2 - SRP1

    (exploited with a browser)


    CONTENTS =========



    Subject: IIS 5.0 Cross Site Scripting Vulnerability

    Date: 27 September 2002

    Risk: Medium


    DESCRIPTION =========



    IIS 5.0 can be forced to return malicious content in user's browser.

    By using a large buffer URL with the idc extension, IIS shows a non-standard error page,

    which contains also the entire address submitted.

    The problem is that the address returned is not urlencoded, then is possible to store a script in the url,

    that will be executed by the browser.


    DETAILS =========



    http://server/<long_buffer>.idc



    http://server/<long_buffer><script_to_execute>.idc



    The total buffer must be long at least 334 chars.



    In the second case, <script_to_execute> is parsed by the server, printed in the html error page

    and executed by the browser.



    This may be used in a link for browsers and email clients.


    RISKS ==========



    Stealing cookies which may contain critical data (personal informations, passwords, etc).


    WORKAROUNDS ========



    Remove the .idc extension from application mappings.

    Update to SP3.



    VENDOR STATUS ========



    Microsoft was notified on 10 September.

    They confirmed, according to my testing on Win2k and their testing on WinNT,


    that this problem has been remedied with the latest SP and patches.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  2. #2
    I belive apache is better. i dont personaly use it, but from what i have heard, its better.
    I think statistics wise, more ppl use apache than anyother one. dont quote me on that

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    3
    Today in every platform you need to worry about patching your servers and reading securiy alerts. When the code red worm Apache users were laughting and now they have the similar slapper worm.

  4. #4
    Banned
    Join Date
    Sep 2002
    Posts
    222
    Thanks a ton for posting this, t2k2.

    yanyo: Exactly my thoughts.

  5. #5
    Member
    Join Date
    Sep 2002
    Posts
    86
    I like Apache better than IIS, but it isn't so much because of security as it is flexibility. I tend to write a lot of Java servlets and JSP and I like how easily Apache hands off Java processes to Tomcat. So make your decision based on what you need the server to do first, and then by the number of security patches you have to apply second.

    But remember, yanyo is correct. You need to keep up with all of the security patches for any software that you use regularly.

  6. #6
    Member
    Join Date
    Oct 2002
    Posts
    64
    Comparing IIS to Apache is like comparing swiss cheese to cheddar. With any web server you will have to be vigilant on monitoring any security patches that might be made available. However, IIS by far has more holes out of the box and is a favorite for attackers. Get a real web server, get Apache.

  7. #7
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    When the code red worm Apache users were laughting and now they have the similar slapper worm.
    While I agree that there's a certain amount of comeuppance involved in Slapper, I don't think it's entirely accurate to compare Code Red and Slapper aside from the fact that they spread in a similar way. IIS garnered more then 350,000 Code Red infections with less than 25% of the server market, whereas Apache has about 62% of the market and has seen about 10,000 Slapper infections. Big difference there.

    The simple fact is that IIS is being disproportionately targeted by attackers, and people will argue about the reason, but the reason is pretty well irrelevant. What matters is that they are succeeding, and that's what you have to look at in choosing a web server.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •