{"id":90,"date":"2007-06-06T12:32:09","date_gmt":"2007-06-06T10:32:09","guid":{"rendered":"http:\/\/www.mitternachtshacking.de\/blog\/90-its-not-a-bug"},"modified":"2012-06-07T07:30:53","modified_gmt":"2012-06-07T06:30:53","slug":"its-not-a-bug","status":"publish","type":"post","link":"https:\/\/www.mitternachtshacking.de\/blog\/90-its-not-a-bug","title":{"rendered":"It&#8217;s not a bug &#8230;"},"content":{"rendered":"<p>Sehr sch\u00f6n &#8230; endlich mal wieder eine interessante IIS-L\u00fccke \ud83d\ude42<\/p>\n<p>Auf einem Microsoft IIS 5.x auf Windows 2000 kann die <a href=\"http:\/\/support.microsoft.com\/?scid=kb%3Ben-us%3B328832&#038;x=10&#038;y=8\">Authentisierung mittels hit-highlight<\/a> (webhits.dll ist der \u00dcbelt\u00e4ter) umgangen werden:<\/p>\n<p>Cause:<\/p>\n<p>Hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT Access Control List (ACL) configuration. It does not rely on non-ACL based security mechanisms such as the following:<\/p>\n<ul>\n<li>The Microsoft Internet Information Services (IIS) authentication configuration<\/li>\n<li>NTLM authentication<\/li>\n<li>Basic authentication<\/li>\n<li>IP address restrictions on files within the Webroot<\/li>\n<\/ul>\n<p>Jede andere Firma, die sowas verbockt w\u00fcrde vermutlich ein &#8222;mea culpa&#8220; schreiben und schleunigst einen Patch, Hotfix, Update oder was auch immer ver\u00f6ffentlichen. Nicht so Microsoft.<\/p>\n<p>Status:<\/p>\n<p>This behavior  is by design.<\/p>\n<p>Cool.<\/p>\n<p>Ach ja, ein Upgrade auf IIS 6 und Windows 2003 behebt das Problem wohl.<\/p>\n<p><strong>Nachtrag:<\/strong> Milw0rm hat auch schon einen netten <a href=\"http:\/\/www.milw0rm.com\/exploits\/4016\">Exploit<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sehr sch\u00f6n &#8230; endlich mal wieder eine interessante IIS-L\u00fccke \ud83d\ude42 Auf einem Microsoft IIS 5.x auf Windows 2000 kann die Authentisierung mittels hit-highlight (webhits.dll ist der \u00dcbelt\u00e4ter) umgangen werden: Cause: Hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT Access Control List (ACL) configuration. It does not rely on non-ACL based security mechanisms such [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1,8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/90"}],"collection":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/comments?post=90"}],"version-history":[{"count":0,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/90\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/media?parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/categories?post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/tags?post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}