Microsoft URLScan Information Disclosure Weakness

A weakness has been reported for URLScan that may result in the disclosure of sensitive information.

The weakness exists because of the way URLScan handles HEAD HTTP requests. Specifically, when URLScan receives a HEAD request that is subsequently rejected, it is automatically converted to a GET request and sent to the underlying IIS server.

The information returned may allow an attacker to identify systems that incorporate the use of URLScan.


Privacy Statement
Copyright 2010, SecurityFocus