Back towards the end of 2001, I remember attending a free evening seminar in the Dallas, TX area, where an individual demonstrated exposing a security "hole" in IIS. I cannot remember what info he passed via a URL string in his browser, but the result was that he was able to "get into" or "view" the directory structure of the wwwroot directory under the Windows Inetpub directory. For those of use who use Windows servers with JSP/Servlet servers such as JRUN, someone could gain direct access to your web pages and thereby change your web site using the technique he demonstrated. The gist of his demonstration was that you should never use URL rewriting, particularly on a Windows server, unless you absolutely have to. He also mentioned some steps to take to prevent someone from accessing your server's directory structure via the technique he used in his demonstration.
I cannot find any articles via Google.com that discuss this potential security breach in IIS. Does this ring a bell with anyone in the user community? If so, does anyone know where this information is documented, which would also detail how to "block" someone from entering an IIS directory structure as this individual demonstrated? Any insight/info regarding this subject would be appreciated. Celeste =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
