Next message: Joshua Wright: "RE: HW/SW Rogue AP Wireless Detection"
Hi,
while pentesting a remote customer I came across this issue:
$ telnet somehost 80
Trying xxx.xxx.xxx.xxx...
Connected to somehost.
Escape character is '^]'.
SEARCH / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Cache-Control: no-cache,no-transform
Expires: Tue, 18 Mar 2003 10:49:32 GMT
Content-Location:
http://xxx.xxx.xxx.xxx/intro.htm?404;http://xxx.xxx.xxx.xxx/>?~/
Vary: *
Date: Tue, 18 Mar 2003 10:49:32 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 302
<HTML>
bladiebla text text
</HTML>
Connection closed by foreign host.
$
This site is using lockdown but what suprised me a bit is that its nicely
telling me that its using urlscan in the Content-Location header.
It exposes this information by using the SEARCH, TRACE, PROPFIND
and PROPPATCH option, any other requests do not expose 'interesting'
information in the Content-Location header.
according to the OPTIONS request these options are allowed:
Public: OPTIONS, TRACE, GET, HEAD, POST
Allow: OPTIONS, TRACE, GET, HEAD
I was not able to produce this on other machines.
Any hints on what might be causing this ?
Cheers,
Marco van Berkum
--
----------------------------------------
| Marco van Berkum / MB17300-RIPE |
| m.v.berkumat_private / http://ws.obit.nl |
----------------------------------------
----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30
: Tue Mar 18 2003 - 08:27:05 PST