RE: URL Scan for IIS

"blocks all known attacks"....wow thats a powerful statement ! Whats that based on ? Do I thow away my application IDS now then ;-) I could write bad code and this will stop it all then ? eeeek....

Unless I missed something the IIS lockdwon wizard selection doesn't change the URL scan ini file. It turns of services and mappings. If you select an html only site it will not map ASP etc as well as all the unmapping of htw, htr etc

What I was really looking for was something more like

by adding the < and > strings you can stop XSS..

My real question is this seems to be reversed to good practice for inout filtering, ie i want to say only allow this in the ini file and automaticaly block the meta-chars...

On Sun, 23 Feb 2003 00:06:37 -0800 Maher Odeh <rax@netvision.net.il> wrote:
>regarding your question about URLScan ...

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Sun Feb 23 15:50:06 2003