Hi All, I am getting quite a few "iis-double-eval-evasion" events. What surprises me is the Remedy that X-Force reports: "No remedy available as of October 2001." If I am not mistaken it is 2003 already. Could somebody kindly post an update on the case.
Thanks, Toma http://www.iss.net/security_center/static/7202.php iis-double-eval-evasion (7202) <<...OLE_Obj...>> Medium Risk IIS 4.0/5.0 escaped percent found Description: Microsoft IIS (Internet Information Server) versions 4.0 and 5.0 incorrectly evaluate URLs twice for escape sequences. In an attempt to bypass intrusion detection systems, an attacker may submit to an IIS server a URL containing escape sequences (such as %25) representing percent (%) characters. Platforms Affected: Microsoft IIS 4.0 Microsoft IIS 5.0 Windows 2000 Any version Windows NT 4.0 Remedy: No remedy available as of October 2001. Consequences: References: Standards associated with this entry: Reported: Date not applicable. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
