RE: Web app error messages.

From: Hagen, Eric (hagene@DenverNewspaperAgency.com)
Date: Thu Oct 26 2006 - 17:40:53 EDT

• Next message: Joseph McCray: "Re: How do you monetize your skills?"
• Previous message: ep: "RE: Windows XP / 2K3 Default Users"
• Maybe in reply to: Lee Lawson: "Web app error messages."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That's a standard IIS message that is given out when you try to browse the root of a directory that does not exist.

http://support.microsoft.com/kb/185380/EN-US/

You can simply drop an apporpriate index.html (or other default named) file in there if you want to customize the message depending on the directory that is entered.

http://support.microsoft.com/kb/320051

or...

You can configure IIS to automatically return a specific page rather than the directory listing error. (See error 403.14)

http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iierrabt.htm

Eric

-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of Lee Lawson
Sent: Thursday, October 26, 2006 8:17 AM
To: pen-test@securityfocus.com
Subject: Web app error messages.

Hi all,

I have recently conducted a web application penetration test for a
client and I am a little stuck as to the resolution advice I need to
give.

I have highlighted, among other things, the enumeration of 'hidden'
directories within the app. This is normally conducted by finding
Access Denied or Forbidden messages, but I have come across the
following message:
"Virtual Directory Listing Denied."

That is all that is displayed on the page! They are using asp and IIS.

What I need to know is:
what exactly is creating the error message? IIS? ASP? etc.
How to create a bespoke error message or preferably redirect the user
to the home page?

Thanks in advance.

-- 
Lee J Lawson
leejlawson@gmail.com
leejlawson@hushmail.com
"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."
"Quidquid latine dictum sit, altum sonatur."
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Joseph McCray: "Re: How do you monetize your skills?"
• Previous message: ep: "RE: Windows XP / 2K3 Default Users"
• Maybe in reply to: Lee Lawson: "Web app error messages."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:14 EDT