[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: "Quiet" Patch
From: "Depp, Dennis M." <deppdm () ornl ! gov>
Date: 2005-01-13 12:52:57
Message-ID: 325F46FDC9A60242846F2DCBFB4D092701524EEA () ORNLEXCHANGE ! ornl ! gov
[Download RAW message or body]
IIS 6.0 does not require URLLockdown. This is because IIS 6.0 is locked
down by default. However, URLScan can be installed on IIS 6.0 There
are several web vulnerabilities that cannot be fixed except through
URLScan. I believe the Httptrace is one of these vulnerabilities. (my
memory may be incorrect though!)
Dennis
-----Original Message-----
From: Block, Mike [mailto:mike.block@equitablebank.net]
Sent: Wednesday, January 12, 2005 6:21 PM
To: Patch Management Mailing List
Subject: RE: "Quiet" Patch
Ok, following this thread I have some questions: doesn't 887289 refer to
patching canonicalization problems in ASP.Net applications using their
VPModule.msi package? The other question is: I thought URLscan was
primarily a canonicalization tool for use with IIS 5.0. I recollect
reading somewhere that IIS 6.0 did not require URLscan. Is that correct?
Is 887289 required if you don't use ASP.Net on your IIS server, and do
you still need URLscan on your IIS 6.0 server?
-----Original Message-----
From: Todd Towles [mailto:toddtowles@brookshires.com]
Sent: Wednesday, January 12, 2005 4:40 PM
To: Patch Management Mailing List
Subject: RE: "Quiet" Patch
But running URLScan should take care of this correct? The IISLockdown
wouldn't stop those as well?
> -----Original Message-----
> From: Gravity Storm Software [mailto:gstorm@securitybastion.com]
> Sent: Wednesday, January 12, 2005 3:57 PM
> To: Patch Management Mailing List
> Subject: "Quiet" Patch
>
> // I work for Gravity Storm Software (Service Pack Manager)
>
> In addition to 3 new security patches that were released
> today by Microsoft, there is another older patch (from Oct
> 2004) that I'd like to bring to your attention (KB887289):
> http://support.microsoft.com/?kbid=887289
> It wasn't categorized by MS as a security patch, but the article says:
> "When a Web server receives a URL, the server maps the
> request to a file system path that determines the response.
> The canonicalization routine that is used to map the request
> must correctly parse the URL to avoid serving or processing
> unexpected content. ".
> So although one can argue to what extent it is security
> issue, to us it looked important enough to include it for
> users' consideration.
>
> Leon Havin
> Gravity Storm Software, LLC.
> 3525 Del Mar Heights Road, #630
> San Diego, CA 92130
> (858) 792-0162
> http://www.securitybastion.com
> mailto:gstorm@securitybastion.com
>
>
>
>
>
> ---
> To unsubscribe send a blank email to
> leave-patchmanagement@patchmanagement.org
>
---
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
---
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
---
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic