From: Marco van Berkum (m.v.berkum@obit.nl)
Date: Tue Mar 18 2003 - 06:21:38 EST
Hi,
while pentesting a remote customer I came across this issue:
$ telnet somehost 80
Trying xxx.xxx.xxx.xxx...
Connected to somehost.
Escape character is '^]'.
SEARCH / HTTP/1.0
HTTP/1.1 200 OK
<HTML>
This site is using lockdown but what suprised me a bit is that its nicely
according to the OPTIONS request these options are allowed:
Public: OPTIONS, TRACE, GET, HEAD, POST
I was not able to produce this on other machines.
Cheers,
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:53:30 EDT
Server: Microsoft-IIS/5.0
Cache-Control: no-cache,no-transform
Expires: Tue, 18 Mar 2003 10:49:32 GMT
Content-Location:
http://xxx.xxx.xxx.xxx/intro.htm?404;http://xxx.xxx.xxx.xxx/
Vary: *
Date: Tue, 18 Mar 2003 10:49:32 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 302
bladiebla text text
</HTML>
Connection closed by foreign host.
$
telling me that its using urlscan in the Content-Location header.
It exposes this information by using the SEARCH, TRACE, PROPFIND
and PROPPATCH option, any other requests do not expose 'interesting'
information in the Content-Location header.
Allow: OPTIONS, TRACE, GET, HEAD
Any hints on what might be causing this ?
Marco van Berkum
--
----------------------------------------
| Marco van Berkum / MB17300-RIPE |
| m.v.berkum@obit.nl / http://ws.obit.nl |
----------------------------------------
----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html