From: Secunia Security Advisories (sec-advsecunia.com)
Date: Mon Jul 07 2003 - 05:57:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
Microsoft URLScan Server Header Information Disclosure Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9194/

CRITICAL:
Not critical

IMPACT:
Security Bypass, Exposure of system information

WHERE:
From remote

SOFTWARE:
URLScan Security Tool 2.x

DESCRIPTION:
A vulnerability has been reported in URLScan, which can be exploited
by malicious people to gain knowledge of system information that
should be blocked.

It is possible to disclose server header information even though the
setting "RemoveServerHeader" is enabled. This can be done by sending
certain requests to the HTTPS service (port 443/tcp) of a web server,
which makes the server reply with a "400 Bad Request" error message
disclosing the information.

The vulnerability has been reported in version 2.5. However, other
versions may also be affected.

SOLUTION:
If this is regarded as a security threat, then use another product to
remove server header information.

REPORTED BY / CREDITS:
John Madden

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]