Greetings, Accord to nessus (and several websites) there are buffer-overflows in the following application mappings from IIS5.0 that could cause an attacker to denial of service or gain remote root shell access to a windows box:
htr c:\winnt\system32\inetsrv\ism.dll GET,POST printer c:\winnt\system32\msw3prt.dll GET,POST shtm c:\winnt\system32\inetsrv\ssinc.dll GET,POST shtml c:\winnt\system32\inetsrv\ssinc.dll GET,POST shtm/.shtml are file extensions that deal with server-side includes, .htr appears to deal somewhat with indexing and .printer has some application for printing.. though why you'd want people to print from a webpage I have no idea. Our client is currently using coldfusion with the fusebox application on top, but instead of passing variables in the standard way: http://www.client.com/index.cfm?fuseaction=foo they are passing variables to their script using urls that look like: http://www.client.com/index.cfm/foo and parsing the address field with a case statement key'd off what follows the "/". This had been working pretty well for them, up until I went to fix the insecure application mappings. when I removed the above mappings, the url http://www.client.com/index.cfm/foo no longer saw index.cfm as a script, and instead started throwing a 404 error since obviously there is no index.cfm/foo directory. When we discovered this we attempted to put the application mappings back in place, but doing so had no effect, and we have yet to find a way to repair this functionality. From what I've been able to determine from the web, being able to pass variables in the manner that this client was doing is something they're really not supposed to be able to do, though its not specifically prevented in the http spec, and there fore it varies by vendor as to how its implemented, and it appears that Microsoft has decided to quit implementing it. Has anyone had this issue? Any solutions? Thanks. Alf Alf Gardner Bringing the Long Haul and COMFLUENT the Metro Core Together 910 15th St., Suite 751 303.376.1600 Denver, Colorado 80202 USA 303.376.1601 fax [EMAIL PROTECTED] http://www.comfluent.net ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
