-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd point out to the customer that there are ways to brute-force the username and password. If someone were to find a legitimate username and password by brute-force, then they could exploit whatever holes his IIS installation has - Unicode or otherwise. (You'll find a HTTP-Auth brute-forcer program called ObiWaN at http://www.phenoelit.de/obiwan/) BRYAN - -----Original Message----- From: Vladimir Parkhaev [mailto:vladimirat_private] Sent: Wednesday, July 25, 2001 9:03 AM To: Penetration Testers Subject: IIS/Unicode and authentication box I am trying to show to a customer that his IIS server is vulnerable to unicode exploits. However, access to his server is password protected (Require valid-user) I get "HTTP/1.1 401 Access Denied" and "You are not authorized to view this page". As far as I am concerned, having password box does mean he does not have to patch his web server. How can I show that his box is vulnerable? Anybody? - -- print chr hex for qw + 2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A 44 38 37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20 20 31 44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44 0A +; - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO18nkYQImHalSbbtEQLh2wCgoGZHsML3Z+FAlFZ+eAAR+61XwL0AoNBA z76obD8zgpOllPeOYZFsR4g2 =cDA0 -----END PGP SIGNATURE----- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:56:40 PDT