> So basically: > IF I DON'T USE IT, I have it disabled, the exploit won't work > BUT I log it. IF I USE IT, the exploit will succeed, and no > logging will be made. > > Am I wrong? I would agree on this. Anyhow, I also would like to verify that this is actually what does happen. If someone is having an exploit for this issue, I would deeply appreciate if you could pass me a copy via private email so that I could actually try it out in lab. The bottom line, however, is that there *are* definitely ways to exploit IIS without any log being written. We are right now writing an ISAPI filter that will provide two log entries for each request: one as soon as the request is seen initially by IIS (very early, prior to almost all of its processing) and another one when the request is finished. With this, you'll be able to get logs on such intrusions - you may even detect them by searching for requests that begun but never ended.... Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 15:28:07 PST