-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tested an IIS5 server for this vulnerability and was not able to exploit without script or execute permissions. I have a couple questions with regard to this. 1. Is there any current way of exploiting this vulnerability when there is no scripting or execution allowed? 2. Does a default IIS5 install allow scripting or execution? The reason I ask this is because I see this vulnerability as a default install problem mainly, and good admins removed that ISAPI scriptmap long ago. I am analyzing whether an IIS5 server without hotfixes/patches that was installed with best practices in mind is still secure, it seems to me that every exploit so far has been stopped dead in its tracks by the following of simple 'best practices' from Microsoft. Between separate disk partitions and removal of unneeded ISAPI extensions, a lot of security is added. Please email me if you have any input or thoughts on this. Thank you for your time, Adept markat_private Hektik.org Security Team -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOvGPofD20izMw1aIEQKWhACgvnVWy7v1qTmhhbenhtX6GO0BQUEAoOuj 7WreoVyFtoRmcL39w+qVL1TZ =VLag -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 17:51:26 PDT