todb at planb-security.net
Wed Nov 13 14:37:05 GMT 2002
Mark Rowlands (Wednesday, November 13, 2002, 3:20 AM) wrote:
> Something I haven't seen before popping up in my logs is this :-
> "PROPFIND /c%24 HTTP/1.1" 405 915 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> It has come from a couple of sources ...one Roadrunner, one AOL so my no. 1
> hypothesis is dumb user with Windows XP / Frontpage.
There's a Microsoft hotfix here, posted Oct 30, 2002:
It fixes a denial-of-service exposure in IIS's WebDAV implementation.
Since the exposure hinges on a running Index Service, I would guess
the malformed URL would have something to do with PROPFIND. However, the
bulletin provides no details on what an attack would actually look like.
After reading it, I found that turning off WebDAV altogether can only be
accomplished through a registry edit. This Q article describes this
Also, WebDAV is disabled with IISLockdown.
Tod Beardsley (GCIA, MCSE)
"It's okay to yell fire in a crowded theater
if the theater is actually on fire."
More information about the list