Re: IIS Internal IP disclosure

From: Alex Zimin (alexat_private)
Date: Wed Feb 26 2003 - 10:35:19 PST

  • Next message: Renaud Deraison: "Re: IIS Internal IP disclosure"

    Renauld,
    
    I agree that without check for an IP value my script may give a lot of
    false positives. IP value check can be easily added to the script.
    
    The reason for creating another script to detect IIS IP was that the
    iis_nat script will miss detection of the IIS IP address in many cases. It
    will return a result only in the case where IIS is serving a static HTML
    page as a startup page (which is not even MS default IIS setup).
    
    > Your script will false positive on any host that has a redirection set
    > for the main page (ie: many) - you should at least make sure the
    >   Location: field shows an IP adress.
    >
    >
    > I fail to see the difference with iis_nat.nasl though. Redirections
    > exist, they're not a security flaw per se.
    
    My script is not running check on the main page or looking for
    redirections, but rather sends a
    "HEAD /existingIISdirectoryname HTTP/1.0" request to IIS, which reveals
    IIS IP address if IIS is not properly configured.
    
    This script is not something new, but rather an addition to an existing
    iis_nat script to increase Nessus chances of detecting internal IIS IP
    address which is a security risk and where iis_nat.nasl will miss find it.
    
    Alex.
    



    This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 10:29:36 PST