At 01:15 PM 01-05-2001 -0700, Marc Maiffret wrote: >The Fallout: >As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the >fallout from this second IIS remote overflow is also rather large. Once >again it does not matter what kind of security systems you have in place, >Firewalls, IDS's, etc.. because all of those systems can be bypassed and >your web server CAN be broken into via this vulnerability. To quote our last Actually these attacks (and others) may not work if you have a web proxy that allows clients to only access urls that appear in the protected website's content plus defined entry point urls. The good old "default deny" concept. You only can ask for what the protected server says there is, or is ok. I'm glossing over the details of course, but basically the proxy looks at the protected webserver's content it is serving up, and only that which is explicitly specified by the content is allowed. For example fields in forms are limited to that specified by their SIZE parameter, and unspecified parameters never get passed to the target url. With statefulness active it's impossible for people to use legit bookmarks to jump arbitrarily anywhere on a protected site. No deep linking unless specifically allowed ;). This method also works for ftp ( amongst other things), but it's a pain for people to have to do cd, dir, cd, dir before downloading ;) (so turn off statefulness!). A significant amount of performance would be lost, but this could be offset somewhat by caching results where possible, and using the proxy on sites where security is more important than performance. This is where the gigahertz cpus on DDR RAM come in I guess :). Cheerio, Link.
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 08:36:57 PDT