Whats wrong with the way IIS responds to requests for static web pages?
There is a flaw in the component responsible for serving static web pages. The component does not correctly validate requests passed to it and as a result, a buffer-overrun condition occurs when overly long requests are passed to it. What could this vulnerability enable an attacker to do? This vulnerability could enable an attacker to execute code of their choice with user-level privileges on the IIS Server. However to do so, an attacker would need to be able to first upload SSINC web pages to the IIS Server. Does the IIS Lockdown Tool block this attack? Yes – By default, the IIS Lockdown tool will remove the SSINC script map. What is the significance of an attacker only gaining user-level permissions from this attack? By default, the affected component operates under a user account and not the system account. This user account has far less privileges on the server than the system account – for example, a user account cannot add or remove other user accounts or restart services. How co
Related Questions
- I currently offer web pages based on static IP addresses, e.g., www.joe.com has an IP and www.sue.com has a different IP and www.bill.com has another IP. Can I continue to offer this configuration?
- Whats the best software to use to create my web pages for a static website (not a blog)?
- What Is The Difference Between Dynamic And Static Web Pages?
