Microsoft IIS Log Bypass

2003-12-28T08:22:47
ID OSVDB:3231
Type osvdb
Reporter OSVDB
Modified 2003-12-28T08:22:47

Description

Vulnerability Description

IIS contains a flaw that may allow a malicious user to probe a server without being logged. The issue is triggered when the TRACK verb is used in a request, as TRACK requests are not logged. It is possible that the flaw may allow unauthorized probing to go undetected.

Solution Description

Upgrade to version 6 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Install URLScan and add TRACK to the DenyVerbs section.

Short Description

IIS contains a flaw that may allow a malicious user to probe a server without being logged. The issue is triggered when the TRACK verb is used in a request, as TRACK requests are not logged. It is possible that the flaw may allow unauthorized probing to go undetected.

Manual Testing Notes

You can reproduce the problem using a tool like netcat and send the following line, followed by two CRLF pairs: TRACK / HTTP/1.0

You will see the response from IIS (just like a TRACE request), but you won't find this in the IIS log files.

References:

Secunia Advisory ID:10506 Other Advisory URL: http://www.aqtronix.com/Advisories/AQ-2003-02.txt ISS X-Force ID: 14077 CERT VU: 288308 Bugtraq ID: 9313