Hi, while pentesting a remote customer I came across this issue: $ telnet somehost 80 Trying xxx.xxx.xxx.xxx... Connected to somehost. Escape character is '^]'. SEARCH / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Cache-Control: no-cache,no-transform Expires: Tue, 18 Mar 2003 10:49:32 GMT Content-Location: http://xxx.xxx.xxx.xxx/intro.htm?404;http://xxx.xxx.xxx.xxx/>?~/ Vary: * Date: Tue, 18 Mar 2003 10:49:32 GMT Content-Type: text/html Accept-Ranges: bytes Content-Length: 302 <HTML> bladiebla text text </HTML> Connection closed by foreign host. $ This site is using lockdown but what suprised me a bit is that its nicely telling me that its using urlscan in the Content-Location header. It exposes this information by using the SEARCH, TRACE, PROPFIND and PROPPATCH option, any other requests do not expose 'interesting' information in the Content-Location header. according to the OPTIONS request these options are allowed: Public: OPTIONS, TRACE, GET, HEAD, POST Allow: OPTIONS, TRACE, GET, HEAD I was not able to produce this on other machines. Any hints on what might be causing this ? Cheers, Marco van Berkum -- ---------------------------------------- | Marco van Berkum / MB17300-RIPE | | m.v.berkumat_private / http://ws.obit.nl | ---------------------------------------- ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 08:27:05 PST