Firewalls: Vunerabilities in Microsoft's IIS 2.0

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Vunerabilities in Microsoft's IIS 2.0
From:	oolid @ acqic . org (Joseph L. Moll)
Date:	Thu, 05 Dec 1996 16:22:37 -0500
To:	firewalls @ greatcircle . com

Hello all:

We have noticed a little problem with IIS 2.0 and were wondering if the
problem also exists in IIS 3.0.

It seems that anyone can browse the any files in the cgi-bin directory on
the server.  For example, browse this on your IIS web host:  

http://your.domain.here/cgi-bin/my_cgi.ini

The only catch is that you have to know the name of the file.  Good ole
security by obscurity?

IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain
and username to the IIS for access.  Get's logged in the log file as
DOMAIN\USERNAME.

Anyone else observed this slight problem?


Regards,
---
Joseph L. (Joe) Moll -- Network and Communications Engineering
mailto:jmoll @
 acquion .
 com  http://www.acquion.com
ACQUION, Inc.  Greenville, SC  USA -- Specialists in Electronic Commerce
PGP Fingerprint =  8D E7 F0 E8 8D 67 A8 19  02 CB 83 0F 19 41 D3 A9

Follow-Ups:

Re: Vunerabilities in Microsoft's IIS 2.0
From: Patrick Lee <patlee @ panix . com>

Indexed By Date	Previous:	Netscape gold ?! From: elroy <elroy @ kcsun3 . kcstar . com>
Indexed By Date	Next:	Re: Why would someone want an NT firewall? From: "David J. Meltzer" <davem @ iss . net>
Indexed By Thread	Previous:	Re: Netscape gold ?! From: shaver @ neon . ingenia . ca@scet.org.uk (shaver @ neon . ingenia . ca)
Indexed By Thread	Next:	Re: Vunerabilities in Microsoft's IIS 2.0 From: Patrick Lee <patlee @ panix . com>