Re: iXsecurity.tool.briiis.3.02

From: Alex Butcher (alexat_private)
Date: Fri Jun 15 2001 - 04:09:22 PDT

Next message: John Bumgarner: "RE: Voice over IP"

Previous message: Enrique A. Sanchez Montellano: "Re: Blind IP spoofing portscan tool?"
In reply to: ian.vitekat_private: "iXsecurity.tool.briiis.3.02"
Next in thread: Nicolas Gregoire: "Re: iXsecurity.tool.briiis.3.02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ian.vitekat_private wrote:

> iXsecurity Security Tool Release
> briiis.pl v3.02
> ================
> 
> Tool Description
> - - ------------
> Briiis is a tool for testing web servers for "/" encoding
> break out from web root vulnerability from an executable
> directory.
> E.g. IIS Unicode and double encoding vulnerabilities.

It's also worth remembering that Exchange uses IIS to provide Outlook
Web Access and that this (always?) makes the /exchange path a script
directory. It would appear that these hosts often get overlooked when
the patch monkey is instructed to hotfix "all our IIS servers" :)

Kudos to the author of the IIS unicode plugin in Nessus for pointing
this out to me. :)

Best Regards,
Alex.
-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

Next message: John Bumgarner: "RE: Voice over IP"
Previous message: Enrique A. Sanchez Montellano: "Re: Blind IP spoofing portscan tool?"
In reply to: ian.vitekat_private: "iXsecurity.tool.briiis.3.02"
Next in thread: Nicolas Gregoire: "Re: iXsecurity.tool.briiis.3.02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 16:47:25 PDT