[OT] IIS security

Discussion in 'Windows Small Business Server' started by James Reather, May 25, 2004.

  1. James Reather, May 25, 2004
    1. Advertisements

  2. James Reather

    Matt Gibson Guest

    *Raises Hand*

    Notice how it says they were attacked? Through a web based administration
    page, and then using SQL injection.

    That's got no effect on IIS security.

    Matt Gibson, May 25, 2004
    1. Advertisements

  3. Where does it say that?
    "No effect" ...err... <shakes head> I suppose that insecure "web based
    administration page" was running on a rogue Apache server, was it? ;-)
    Better still, perhaps the SQL database in question was actually MySQL? :)

    I suppose we could sum it up like this: if Microsoft's MSPress division
    can't keep their IIS servers secure, what makes you think *you're* so much
    more capable? Better be sure of yourself before you stick your head above
    the parapet...

    James Reather, May 25, 2004
  4. James Reather

    Matt Gibson Guest

    Sorry, I should have been more specific. On the Daily-Dave mailing list,
    from Dave Aitel of Immunitysec.com, it was said that "They found the
    administration page and performed a SQL injection attack, allowing them to
    manage the content of the section."
    That's like saying that since one car was stolen becase the doors were
    unlocked, all cars are vulnerable. They got hacked because someone wrote
    sloppy code. They did not get hacked because of a problem in IIS.
    Actually, I do think I'm more capable than the people who set that one up.
    There are no scripts that run on my site and I don't parse content like they
    did. Ergo, I'm not succeptble to the same flaws that got them hacked.
    Matt Gibson, May 25, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.