Recent Posts

0
Comments

FTP recursive list after applying MS09-053 by naziml

We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature...
1
Comments

Fixes released for FTP vulnerabilities by naziml

Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory.
2
Comments

[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6 by naziml

There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post . Microsoft has released and refreshed an advisory...
0
Comments

Updated advisory for FTP Vulnerability on IIS by naziml

The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact...
0
Comments

Update for WebDAV vulnerability on IIS 5.x and IIS 6 by naziml

We now have a security update available to address the WebDAV extension vulnerability reported earlier. All customers affected should apply the update even if they have mitigated the issue through a workaround. The background here is that we had an encoding...
0
Comments

Update Released for Dynamic IP Restrictions Beta by naziml

We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions . Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here...
1
Comments

WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0 by naziml

Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains...
2
Comments

Token Kidnapping fixed by naziml

I had gone into a little detail about explaining token kidnapping in an earlier post . Despite all the difficulties involved in fixing this, MS has released a comprehensive patch that addresses all the issues in MS09-012 . This was a monumental effort...
3
Comments

Script to lock down IIS paths by naziml

In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it...
23
Comments

Script to install UrlScan v3.0 as a site filter. by naziml

Although using WIX to create an MSI to do this task is a cleaner approach, it is too heavy duty for me. I do this often enough to warrant creating a script for it, so I though I would share it out. To use it you would run: InstallUrlScanAtSite.js -siteid...
48
Comments

Token Kidnapping in Windows by naziml

Microsoft has just released MS09-012 to address this issue in it’s entirety. Get further details here . You have probably heard about the Token Kidnapping vulnerability in Windows and read Microsoft's security advisory on it and are wondering why there...
24
Comments

UrlScan v3.0 RTW Released by naziml

About 2 months ago we released the beta for UrlScan v3.0 to address customer concerns with automated SQL injection attacks and we have been busy since refining it with the help of our customers, community and MVPs. You can download the bits at the links...
26
Comments

Using the new rules configuration in UrlScan v3.0 Beta (Part 2) by naziml

Dissecting the SQL injection sample in the walkthrough I will spend some time dissecting the SQL injection rule posted in the walkthrough for UrlScan. Before I do so, I want to re-iterate the fact that SQL injection is a web application issue, and hence...
12
Comments

UrlScan v3.0 filtering based on Request Entity by naziml

While some folks are rejoicing, others are noticing the lack of scanning for the request entity. Why would we do that? The easy answer is that this is just not possible with an ISAPI filter. In IIS 5 and earlier, there is no API that would allow us to...
11
Comments

Using the new rules configuration in UrlScan v3.0 Beta (Part 1) by naziml

If you haven't noticed already, UrlScan v3.0 Beta is out and it is the answer to all your prayers. Well maybe not all, but it still is nifty. UrlScan 2.5 is widely used and is quite popular. There were a few minor issues with it that were all fixed for...
More Posts Next page »
Powered by Community Server (Commercial Edition), by Telligent Systems