This is a multi-part message in MIME format. ------=_NextPart_000_0101_01BF634A.4E4ECCA0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit what auth schemes are you using? if you've already used basic auth and the .ida stuff is in the same realm as the previous basic auth realm then you won't get prompted until you either (a) switch realms or (b) use another auth scheme. Cheers, Michael Howard Windows 2000 Security Got an 'Access Denied' problem? Check the appropriate logs first! -----Original Message----- From: Kevin Matthew [mailto:kevinmat_private] Sent: Wednesday, January 19, 2000 10:59 AM To: BUGTRAQat_private Subject: Re: IIS still revealing paths for web directories Hello, There's another glitch when you have a password protected webdirectory with IIS5 and sendin the http://www.iisServer.blah/blah.ida When the root folder on that website is password protected you do not get asked to authenticate but you just recieve the error like other postings. Ditto with guessing content of that folder the server would not ask for the auth but just report a missing .ida file with full path of the local file. IIS should ask for the password before giving out anything else. Kevin Matthew <kevinmat_private> Windsor Information Network Company Limited (WINCOM) 4325 County Road 42, Unit 10 Windsor, Ontario N8A 6J3 ____________________________________________________ Phone: 519.972.1007 Fax: 519.972.7009 On Tue, 18 Jan 2000, Brock Tellier wrote: > BTW, different error messages are given depending on whether or not the path > up to the idq file exists. In my brief testing: > > http://www.example.com/exists/bah.ida > yields > The IDQ file C:\Inetpub\wwwroot\exists\bah.ida could not be found. > > > http://www.example.com/doesntexist/bah.ida > yields > File C:\Inetpub\wwwroot\doesntexist\bah.ida. The system cannot find the path > specified. > > Brock Tellier > UNIX Systems Administrator > Chicago, IL, USA > btellierat_private > > Frank Knobbe at Home <FKnobbeat_private> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > -----Original Message----- > > > From: Chris Tobkin [mailto:tobkinat_private] > > > Sent: Wednesday, January 12, 2000 2:08 PM > > > > > > > The same problem still exists on IIS4 (tested with SP5 - > > > didn't try on > > > > SP6). > > > > > > Still exists as far back as IIS3 also. (SP6a) > > > > Can't reproduce the problem with IIS3 and SP6. > > > > BTW: I'm running IIS3 on several servers without problems. I did not > > want to upgrade to IIS4 due to the complexity of its internal > > processes (and all those exploits that followed). My main complaint > > is still that I do not want to run IIS under the system account as > > IIS4 requires. > > > > Anyway, a time will come when we need to upgrade to W2K and IIS5. > > Does anyone have a comparison or analysis of IIS5 in respect to > > security (data channels, posting acceptors, etc)? > > > > Regards, > > Frank > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Personal Privacy 6.5.1 > > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > > > iQA/AwUBOIFcCURKym0LjhFcEQI+XwCeM4vv5ILglddvWw1LIWYBNOPifSEAoJ7z > > /+V1C97k2f+QTjNw9YGgmA90 > > =qq7D > > -----END PGP SIGNATURE----- > > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > ------=_NextPart_000_0101_01BF634A.4E4ECCA0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF3jCCAsIw ggIroAMCAQICAwHA0DANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx OTk5LjkuMTYwHhcNOTkxMjAxMjMxMjQ4WhcNMDAxMTMwMjMxMjQ4WjBiMQ8wDQYDVQQEEwZIb3dh cmQxEDAOBgNVBCoTB01pY2hhZWwxFzAVBgNVBAMTDk1pY2hhZWwgSG93YXJkMSQwIgYJKoZIhvcN AQkBFhVtaWtlaG93QG1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYK oXyl6I4H5296NPsyNnef5TRdcFL/646dZl+4q0LzUTn96wBVisskVl19xR31szqrBjc0kuLWBVNX dv0hNeCT4IBYgC1TX1vsvbGSiFWer5/En3xgxHG94k41LE9gFql983UJDYNga3w7p9/tQYMV3tKE LMX3zL3fNbcjydHFAgMBAAGjUzBRMCAGA1UdEQQZMBeBFW1pa2Vob3dAbWljcm9zb2Z0LmNvbTAM BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIir8WCDZlX05FjHRh3AYb0j18OMMA0GCSqGSIb3DQEB BAUAA4GBABDye9MyMkotv3FV+DDhQtflmm4jj7o3hgapUCjNci9n5U/oE+i9K8ClvNBUYXu3zS+l tXB5T22Eg3gZV9S/iggpdkpKOcq0MAonEMMdi2QaY/H5nUGqaxgehtFzg/4Sm9wGFMVrNQpQbQ+m 8X9TLpI+Ray+u+uyQGIrQspBmNgJMIIDFDCCAn2gAwIBAgIBCzANBgkqhkiG9w0BAQQFADCB0TEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRow GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZI hvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk5MDkxNjE0MDE0MFoXDTAx MDkxNTE0MDE0MFowgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNV BAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCzaVqX1NAWC3q1xV3pIZwjcs0STEv3fs/H+8pyJPRCUqxXleN7 YXoXhOf9cjk4lLTq7WWnkgZeveBl9hm7lHl2TD65aHB1hBz0EXQAvAUsTwkDFzHM9EHUcsamXeKI RLCLLsRN8fDWhT5s85WUeJF+QOmc0Y0VV47Cc+Uw3kb1TwIDAQABozcwNTASBgNVHRMBAf8ECDAG AQH/AgEAMB8GA1UdIwQYMBaAFHJJwnM0xlX0C3ZygX539IfnxrIOMA0GCSqGSIb3DQEBBAUAA4GB AGvGWekx+um27LED2N9ycv6RYEjqxlXde/BnjsZhcOdtwqU32J23FyhWBYvdXHVvxpGQxmxmcRPQ EHxrkW+G4CE2LcHX6rIJrc8tbcaDUpv7u/6ch538t+l0kuRcl678fqzKDW9yemcsa3P1hvmd9QBu 9B0Hzp2egmMp75MJflXeMYICrjCCAqoCAQEwgZwwgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNV BAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg MTk5OS45LjE2AgMBwNAwCQYFKw4DAhoFAKCCAWcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMDAwMTIwMjEyODU4WjAjBgkqhkiG9w0BCQQxFgQUmCg+uhAsNG9lOval vnkGQ+Xdl3QwWAYJKoZIhvcNAQkPMUswSTANBggqhkiG9w0DAgIBKDAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwBwYFKw4DAgcwBwYFKw4DAhowCgYIKoZIhvcNAgUwga0GCSsGAQQBgjcQBDGB nzCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVy YmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMx KDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYCAwHA0DANBgkqhkiG9w0B AQEFAASBgExTY/6rCH1Y2au0PhZEeZfNAqev2GqrPLpQyF6A62qkLIdNu9Q5tz/GNU9C9y7eF2ZW 4n4VE8J6lgvOTDs3B+T6VUGLsr8M94c7VxJZAp0mD06s3LNblpYUKLfdoYQ5NqGIbZtBTto2UvfZ /v2Q8zKKmo4z0TP+D9H5pWAlYYatAAAAAAAA ------=_NextPart_000_0101_01BF634A.4E4ECCA0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:44 PDT