First off, let me just post this...someone I know has been receiving quite a lot of the following on their BID:

"9,2002-01-02 04:25:16,2004303,UPNP NOTIFY
overflow,10.100.3.107,,239.255.255.250,,length=96&location=h
ttp://10.
100.3.107:2869/upnphost/udhisapi.dll?content%3Duuid:38a5581b
-432a-
49ed-9f8e-1eca1ab25585,30,,1900,1900,00000411"

Regarding Tim's comment on the SANS NewsBytes email...well, it's from SANS...SANS is a commercial organization, and things must be presented in a unique manner in order to differentiate the organization.

Regarding Tim's comment on a worm using this vulnerability...honestly, I'd like to hear the reasoning behind that one. After all, sadmin/IIS was followed by Code Blue and Nimda...all using the same directory transversal exploit. Code Red exploited a vulnerability that could have been obviated at installation time by simply disabling the script mapping (falls under "unnecessary services or functionality" for most sites). Yet these worms were still prolific. So why don't you think we'll see this in a worm?

Sadly, too many folks who come to SF to read Tim's stuff are just looking for something to pick at...while themselves neither revealing their own names, nor writing their own articles.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/50/9642#9642