RE: Creating a secret web site on IIS 5.x using Alternative Data Streams

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Creating a secret web site on IIS 5.x using Alternative Data Streams
From: "James C Slora Jr" <Jim.Slora@xxxxxxxx>
Date: Tue, 9 Aug 2005 11:12:17 -0400
In-reply-to: <20050804162242.5697.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: PHR+A, pc
Reply-to: <Jim.Slora@xxxxxxxx>
Thread-index: AcWc7sDBWNkT6Hb1RqK5tidBP2BNVAAAqt5Q

Mitigation at the IIS server looks pretty straightforward.

URLScan in default configuration prevents access to ADS files, generating
the following log line:

Client at 10.1.1.100: URL contains sequence ':', which is disallowed.
Request will be rejected.  Site Instance='1', Raw
URL='/myremoteserver/help.gif:secret'

So you should see accesses in the IIS logs if you don't run URLScan, and
failed attempts in the URLScan logs if you do run it.

References:
- Creating a secret web site on IIS 5.x using Alternative Data Streams
  - From: inge_eivind . henriksen

Prev by Date: Bugtraq ID: 14460 : Coldfusion Fusebox V4.1.0 Vulnerability
Next by Date: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation
Previous by thread: Creating a secret web site on IIS 5.x using Alternative Data Streams
Next by thread: Nate User Password Disclosed By Anonymous
Index(es):
- Date
- Thread