|
|
Info |
Last Modified |
| 4 months ago |
|
|
|
|
Description |
Microsoft IIS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when attempting to access an area protected via basic HTTP authentication without providing realm information, making a request without a host: header, or by trying to access a resource that has been moved (302). This may disclose the internal IP address or network name in the response header resulting in a loss of confidentiality.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
|
|
Technical |
WARNING: Using the Adsutil.vbs file incorrectly causes serious problems that requires you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.
NOTE: The IP address may be disclosed in the 'Location' or 'WWW-Authenticate' header, and may be triggered by a GET or HEAD request.
|
|
Solution |
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:
Change the w3svc/UseHostName value (from False to True) in the metabase
This is done my using the adsutil.vbs ot manually change values within the metabase.
|
|
Products |
|
IIS
 |
4.0 |
3.0 |
2.0 |
5.0 |
5.1 |
6.0 |
|
|
|
|
|
|
|
Credit |
- Dougal Campbell - dougal
 GUNTERS.ORG -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
