Hi Vanja, sdis.dll is used to authenticate to SecurID Web agent when a user presents his/her username & passcode to the asp. sdis.dll is loaded on all pages that the admin chooses to protect using SecurID. The strange thing about your post is : RSA Sent a letter to all RSA Ace Server Engineers around 2 weeks ago saying : During a penetration test of our SecurID WebID agents we have notices it is possible to bypass the SecurID authentication. They have also posted a url asking all engineers to update all customers Ace Agents. Looks like they took your advice allright, but never bothered to say Thank you. I'll be speking with them right away. Thanks for the heads up. Quoting Vanja Hrustic <vanjaat_private>: > I would like to check if anyone using SecurID maybe knows what > 'sdiis.dll' is used for (it is found on an IIS4 server)? > > Basically, any request for any page (valid or invalid) on a site > will result in redirection to 'sdiis.dll' and prompt for > id/pass. However, there is > a very silly way to bypass it by requesting URL like: > > http://www.example.org/sdiis.dll/../some_directory_or_file > > I have sent a question to RSA (hope SecurID is still theirs) few > months ago, but no reply. The client (where this was found) was > not able to help > (didn't get answer about this issue, but the server was not used > for anything, so they didn't consider it 'important'). > > What I would really like to understand is what 'sdiis.dll' is > part of, and what is its function? > > Search on google/altavista did not reveal anything (well, found > one site using it, but I'm not going to 'test' on their server). > > Thanks in advance. > > -- > > Vanja Hrustic > The Relay Group > http://relaygroup.com > Technology Ahead of Time >
This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 12:17:45 PDT