| VID |
22229 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The URLScan is running on the target Web server.
The URLScan, written by Microsoft, is a security tool for filtering of HTTP requests that Internet Information Services (IIS) will process. In the default configuration, URLScan running on IIS prior to IIS version 6.0 discloses its presence to a remote attacker by the way that it processes HTTP HEAD request. If the URLScan receives an invalid HEAD HTTP request, it's automatically converted to a GET HTTP request and sent to the IIS server. Because the rejection occurs early in the request handling process, the normal 404 error message cannot be generated. Instead, the HTML specified by the 'RejectResponseUrl' setting will be displayed. A remote attacker can determine if the URLScan is running on a target server due to the difference of the HEAD HTTP response.
* Note: It can also use the GET, OPTIONS methods to detect if the URLScan is running on a remote server. However, these ways can be affected by a lot of small web server (like SWAT) or not be exact. So this check solely used the HEAD method to assess this vulnerability.
* References:
http://www.securitytracker.com/alerts/2003/Jun/1006901.html
http://www.securityfocus.com/archive/1/323389
http://www.securityfocus.com/archive/1/323655
* Softwares Affected:
Microsoft URLScan 2.5(URLSCAN.DLL version 6.0.3547.0) |
| Recommendation |
Change the "UseFastPathReject" setting in the ulrscan.ini file to "1", as recommeded by the Microsoft. Example line from the ulrscan.ini file might look like:
UseFastPathReject=1 |
| Related URL |
(CVE) |
| Related URL |
7767 (SecurityFocus) |
| Related URL |
(ISS) |
|
