Microsoft IIS服务跟踪日志绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107604 漏洞类型 配置错误
发布时间 2003-12-29 更新时间 2009-01-14
CVE编号 CVE-2003-1566 CNNVD-ID CNNVD-200901-174
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/23490
https://www.securityfocus.com/bid/80383
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-174
|漏洞详情
MicrosoftIIS是一款微软开发的WEB服务程序。MicrosoftIIS服务跟踪日志记录存在问题,远程攻击者可以利用这个漏洞提交恶意请求而不被记录。问题是IIS服务器对"TRACK"请求没有进行日志记录,这可导致攻击者对服务器进行探测或生成部分通信不被发现。IIS6.0不受此漏洞影响。
|漏洞EXP
source: http://www.securityfocus.com/bid/9313/info

A vulnerability has been reported to affect Microsoft IIS. It has been reported that IIS fails to log HTTP TRACK calls made to the affected server. A remote attacker may exploit this condition in order to enumerate server banners. 

TRACK / HTTP/1.0 [\r\r]
|受影响的产品
Microsoft Internet Information Services 5.0
|参考资料

来源:XF
名称:iis-improper-httptrack-logging(14077)
链接:http://xforce.iss.net/xforce/xfdb/14077
来源:BID
名称:9313
链接:http://www.securityfocus.com/bid/9313
来源:OSVDB
名称:4864
链接:http://www.osvdb.org/4864
来源:MISC
链接:http://www.aqtronix.com/Advisories/AQ-2003-02.txt
来源:NTBUGTRAQ
名称:20031227AQ-2003-02:MicrosoftIISLoggingFailure
链接:http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0321.html