Nazim's Security Blog
All things security ...
Sign In
|
Join
|
Help
Home
Contact
RSS
Atom
Comments RSS
Search
Tags
ASP(x)
Dynamic IP Restriction
FTP
HTTP
IIS5X
IIS6
IIS7
RequestFiltering
SQL injection
UrlScan
WebDAV
Windows Security
XML
Navigation
Home
Get Started
Learn
Downloads
Blogs
Forums
Archives
March 2013 (1)
November 2011 (1)
August 2011 (1)
June 2011 (1)
April 2011 (1)
February 2011 (1)
September 2010 (4)
August 2010 (1)
June 2010 (1)
March 2010 (1)
January 2010 (1)
December 2009 (3)
October 2009 (2)
September 2009 (3)
June 2009 (2)
May 2009 (1)
April 2009 (1)
March 2009 (1)
October 2008 (2)
August 2008 (1)
June 2008 (4)
May 2008 (1)
April 2008 (2)
Recent Posts
0
Comments
Safely handling untrusted XML server-side
by
naziml
If you didn't think that processing XML on the server side can lead to a Denial of Service, Information Disclosure or even Remote Code Execution, read on. The issues discussed here are include a class of issues that is commonly referred to as XML...
Tags:
Windows Security
XML
0
Comments
Is IIS vulnerable to the THC SSL DoS attack tool?
by
naziml
There was a recently released tool by THC that can be used to launch Denial of Service (DoS) attacks against servers hosting SSL sites. Besides the traditional bot-net Distributed Denial of Service (DDoS) class attacks, this tool lets a single client...
0
Comments
Is IIS susceptible to the Apache Range Header DoS attack?
by
naziml
A recent disclosure on seclists.org about a Denial of Service attack against Apache web servers has raised concerns about whether IIS web servers are affected. We will quickly talk about the issue and its impact on IIS web servers in this post. Issue...
0
Comments
World IPv6 Day and IIS 7
by
naziml
Wednesday June 8 2011 is World IPv6 Day and there will be plenty of representation by IIS7 on the Windows Server side. From Microsoft we will have participation in this event by Microsoft.com , Bing.com and Xbox.com ; all of which run IIS7 web servers...
2
Comments
Use of special characters like '%' ‘.’ and ‘:’ in an IIS URL
by
naziml
There are multiple times that we get questions about % and other special characters in the URL and what the expected behavior is in IIS. The behavior in IIS is very deterministic when it comes to these special characters, but to explain the behavior we...
0
Comments
Security update released for FTP 7.0 and FTP 7.5 0-day
by
naziml
In the later half of December 2010, an FTP 7.X exploit was published on http://www.exploit-db.com/exploits/15803/ . We posted a risk assessment in a blog on the Security Research and Defense team’s blog http://blogs.technet.com/b/srd/archive/2010/12/22...
1
Comments
Security update released for ASP.NET Padding Oracle Vulnerability
by
naziml
Microsoft has just released security bulletin MS10-070 with security updates for the issue. The updates are currently on Microsoft Download Center, but will be available through all other channels soon. ScottGu has also blogged some FAQs on this security...
Tags:
Windows Security
ASP(x)
1
Comments
Update 1: ASP.NET Zero Day Vulnerability - Padding Oracle Exploit
by
naziml
ScottGu has posted some additional FAQs on http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx The Microsoft advisory has been revised with some additional content in the FAQs. http...
Tags:
Windows Security
ASP(x)
0
Comments
ASP.Net zero day vulnerability - Padding Oracle exploit
by
naziml
An ASP.Net cryptograhic zero day was publicly disclosed today. Microsoft has released an advisory to help customers understand the vulnerability and apply workarounds to secure their sites. The advisory is at http://www.microsoft.com/technet/security...
Tags:
Windows Security
ASP(x)
1
Comments
Fixes for several IIS issues released in September 2010 patch cycle
by
naziml
We just released a bulletin this September that addresses three IIS vulnerabilites. Two of these were responsibly discolsed, while one was publicly disclosed. The bulletin is on http://www.microsoft.com/technet/security/bulletin/MS10-065.mspx and contains...
4
Comments
Dynamic IP Restrictions Beta 2 released!
by
naziml
Yes, it has been a while since Beta was released, but Beta 2 is finally released! You can download Dynamic IP Restrictions Beta 2 from the links below. Dynamic IP Restrictions 1.0 Beta 2 – x86 Dynamic IP Restrictions 1.0 Beta 2 – x64 For more details...
1
Comments
Security fix for IIS Extended Protection released
by
naziml
Microsoft has just released a fix for the Extended Protection for Windows Authentication feature in IIS . The details about the issue are in security bulletin MS10-040 . Important things to note about the issue/fix: The fix is only applicable if you have...
4
Comments
Blocking SQL injection using IIS URL Rewrite
by
naziml
We have had quite a few conversations about SQL injection on my blog, including Filtering SQL Injection from Classic ASP and Using Rules Configuration in UrlScan 3.0 to filter SQL injection. One of the shortcomings that we talked about was that UrlScan...
Tags:
SQL injection
1
Comments
Fixing IIS 6 issue with semi-colon
by
naziml
In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing...
Tags:
UrlScan
IIS6
7
Comments
Public disclosure of IIS security issue with semi-colons in URL
by
naziml
IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it. The issue in question affects only IIS 6 (Windows Server 2003) and arises when you send a URL with a semi-colon in it. IIS 6 uses...
Tags:
IIS6
More Posts
Next page »