Korean

<< Back VID 26147 Severity 20 Port 139,445 Protocol TCP Class SMB Detailed Description The relevant ISA Server is vulnerable to an information disclosure vulnerability. Microsoft Internet Security and Acceleration (ISA) Server 2000 is publishing a Web service that has Basic authentication enabled, even though the Web publishing rules that process the request are configured as 'SSL required'. This problem may create a security issue because Basic credentials are Base64-encoded. If Basic credentials are sent over an HTTP connection, they may be read as clear text and decoded. An attacker that has the ability to intercept network communications between the ISA server and a client may leverage this issue to obtain Web site authentication credentials. * Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts. * References: http://support.microsoft.com/?id=821724 * Platforms Affected: Microsoft ISA Server 2000 SP2 Microsoft ISA Server 2000 SP1 Microsoft ISA Server 2000 FP1 Microsoft ISA Server 2000 Microsoft Windows 2000 Server Recommendation To resolve this problem, apply security update MS05-034. To download this security update, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/ms05-034.mspx This security update lets you control whether ISA Server requests Basic authentication for non-secure incoming HTTP Web requests. By default, ISA Server will not request Basic authentication on non-secure connections when you apply this update. If you do want ISA Server to request Basic authentication on non-secure connections, add the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\AllowAskBasicAuthOverNonSecureConnection : DWORD : 1 Related URL CVE-2005-1217 (CVE) Related URL 13955 (SecurityFocus) Related URL (ISS)