This is a quick fix to allow .htr files, therefore not breaking functionality such as /iisadmpwd/. Some companies were asking if there was a possible way to fix the .htr hole without removing the .htr ISAPI filter. Here is the fix to do so. The filter patch we created will limit all .htr requests to 255 characters, therefore if someone tries the overflow it will get cut off and will never happen. Also, the IP address of the person trying the overflow is logged in the application log file along with the actual query. Credits: This is a modification of ASPBUGFILTER by Christoph Wille Christoph.Willeat_private, AUSTRIA. The fix was inspired by, Brett Glass brettat_private and Niall McKay niallat_private For the Patch and Source visit: http://www.eeye.com/database/advisories/ad06081999/ad06081999-ogle.html If you find any bugs in it send an email to alertat_private eEye Digital Security Team http://www.eEye.com P.S. This is not a perfect patch as there are more overflows in ism.dll than just .htr extensions... but this patch is a lot better than current recommendations and it is open source so you can hack it up to do whatever you like... maybe redirect people to a page telling them they have been logged or some "scary" thing. P.P.S. While we are posting we would like to thank the security community for their positive response and helpfulness over the last couple of days.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:52 PDT