I tend to agree. I do a fair amount of consulting work and I've never
had a problem when someone asked me to show them how I obtained a
sensitive bit of informaton. If you can't reproduce it, then the
consultant should be able to show you how he got in the first place. If
he can't, I think I'd consider getting another consultant.
HTH,
Jimi
Thor wrote:
>RE: are my binaries being exposed on my ASP.NET website?Sorry, I missed
>that-- when I read "remove the extension" my brain said "rename file." The
>consultant is reporting that all he does is remove the extension from the
>URL and he gets the binary files? Yet you can't reporduce it? Similar to the
>old :DATA bug?
>
>I think it is time you use the two words consultants just love to here:
>"Show me."
>
>t
>
>
>----- Original Message -----
>From: Ed Devlin
>To: 'Thor' ; focus-ms (at) securityfocus (dot) com [email concealed]
>Sent: Wednesday, November 26, 2003 3:35 AM
>Subject: RE: are my binaries being exposed on my ASP.NET website?
>
>
>Thanks for your response. I agree that WebDAV is a bit naughty, from a
>security point of view, and file renaming could be used to fool the ISAPI
>extensions.
>But the technique that our consultant is using does not require any renaming
>of files using WebDAV. The attack is simply to issue a request for a page
>without its .aspx extension, when logged into the public-facing website.
>As I said, I can't reproduce it. I just wondered if anyone else had
>seen/heard of something like this....
>Ed
>
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>
had a problem when someone asked me to show them how I obtained a
sensitive bit of informaton. If you can't reproduce it, then the
consultant should be able to show you how he got in the first place. If
he can't, I think I'd consider getting another consultant.
HTH,
Jimi
Thor wrote:
>RE: are my binaries being exposed on my ASP.NET website?Sorry, I missed
>that-- when I read "remove the extension" my brain said "rename file." The
>consultant is reporting that all he does is remove the extension from the
>URL and he gets the binary files? Yet you can't reporduce it? Similar to the
>old :DATA bug?
>
>I think it is time you use the two words consultants just love to here:
>"Show me."
>
>t
>
>
>----- Original Message -----
>From: Ed Devlin
>To: 'Thor' ; focus-ms (at) securityfocus (dot) com [email concealed]
>Sent: Wednesday, November 26, 2003 3:35 AM
>Subject: RE: are my binaries being exposed on my ASP.NET website?
>
>
>Thanks for your response. I agree that WebDAV is a bit naughty, from a
>security point of view, and file renaming could be used to fool the ISAPI
>extensions.
>But the technique that our consultant is using does not require any renaming
>of files using WebDAV. The attack is simply to issue a request for a page
>without its .aspx extension, when logged into the public-facing website.
>As I said, I can't reproduce it. I just wondered if anyone else had
>seen/heard of something like this....
>Ed
>
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]