|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Can't get rid of localstart.aspI have deleted the localstart.asp file from my web server because of the
vulnerablity associated with a brute force attack on localstart.asp. This server is my OWA server. Everything works fine but, my vulnerability scans continue to show the localstart.asp vulnerability. When I go to https://webservername/localstart.asp, I am prompted for a username and password which is the reason I am being flagged by my scanner. I have checked everywhere on the server and the localstart.asp file is no where on it. Why would I be prompted for authentication when the file does not exist? More importantly, how do I stop it? Thanks -- Steve On Fri, 10 Jun 2005 14:37:02 -0700, SteveC
<Ste***@discussions.microsoft.com> wrote: >I have deleted the localstart.asp file from my web server because of the The authentication may be unrelated to the actual file requested.>vulnerablity associated with a brute force attack on localstart.asp. This >server is my OWA server. Everything works fine but, my vulnerability scans >continue to show the localstart.asp vulnerability. When I go to >https://webservername/localstart.asp, I am prompted for a username and >password which is the reason I am being flagged by my scanner. I have checked >everywhere on the server and the localstart.asp file is no where on it. Why >would I be prompted for authentication when the file does not exist? More >importantly, how do I stop it? Have you tried requesting another file which also doesn't exist? FWIW, you can eliminate any vulnerability by saving a file as localstart.asp which does nothing but display a text message that the file does not exist. Jeff It was limited to the localstart.asp file. Other fictitious files did not
prompt for password. However, your post gave me an idea. I just created a blank file in the webroot directory, named it localstart.asp, and gave anonymous access to the file only (to prevent prompting for authentication). Now, when you go to https://webserver/localstart.asp, nothing happens. This has also made the vulnerability scan stop flagging it as a vulnerability. Problem solved... Thanks for the help. -- Show quoteHide quoteSteve "Jeff Cochran" wrote: > On Fri, 10 Jun 2005 14:37:02 -0700, SteveC > <Ste***@discussions.microsoft.com> wrote: > > >I have deleted the localstart.asp file from my web server because of the > >vulnerablity associated with a brute force attack on localstart.asp. This > >server is my OWA server. Everything works fine but, my vulnerability scans > >continue to show the localstart.asp vulnerability. When I go to > >https://webservername/localstart.asp, I am prompted for a username and > >password which is the reason I am being flagged by my scanner. I have checked > >everywhere on the server and the localstart.asp file is no where on it. Why > >would I be prompted for authentication when the file does not exist? More > >importantly, how do I stop it? > > The authentication may be unrelated to the actual file requested. > Have you tried requesting another file which also doesn't exist? > > FWIW, you can eliminate any vulnerability by saving a file as > localstart.asp which does nothing but display a text message that the > file does not exist. > > Jeff > 
Other interesting topics
Problem w/ Integrated Auth -- Receiving User/Pass dialog box against IIS6
integrated vs basic ASP.NET app permissions Accessing Site as Anonymous Passing User Credentials to site running under Integrated Security Logging into website - remove log in box secure site - multiple users w/ 1 user account? Making unique URL - internal and external Anonymous access not working IIS 6 and % characters in a URL |
|||||||||||||||||||||||
