Found a bug or have some feedback?
5/28/03 Cumulative Patch for Internet Information Service
SPI Labs and NSFocus have
discovered multiple holes in IIS. Two denial of service conditions exist that can allow an
attacker to cause IIS to stop responding. One Cross site scripting issue exists in the 302 redirection
pages, and one buffer overflow that allows command execution as the webserver user. The buffer
overflow requires the user to have upload ability, and Server Side Include permissions.
To apply this patch run windows update and install patch "Q811114:"
5/28/03 Apache Pre 2.0.46 Denial of Service
Below is a snippet from the apache advisory.
Apache 2.0.46 Major changes
Security vulnerabilities closed since Apache 2.0.45
*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash. The crash was first reported
by David Endler and was researched and
fixed by Joe Orton . Details will be released
on 30 May 2003.
*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes
5/27/03 Sun One Application Server Multiple vulnerabilities
SPILabs Has identified four issues in the popular
Sun One application server. They range from Source code theft, Log evasion, Cross site scripting,
and plaintext administrative password storage.
Sun One Multiple Issues
s21sec has discovered eight vulnerabilities in Vignette Application
5/27/03 Multiple holes in Vignette
Vignette User enumeration
Vignette TCL Command execution
Vignette internal information leak
Vignette Server side include injection
Vignette Cross site scripting issues
Vignette License access modification
Vignette SQL Injection
Vignette AIX memory leak
Jason Coombs has released this 440 page e-book on IIS security, and secure
programming. Worth a read if you run IIS on a production system.
5/17/03 IIS Security and Programming Countermeasures e-book released
According to this email from NTBugtraq Windows Update
is falsely reporting when your system is patched. It also goes into further detail of how to make sure
your system is properly patched with windows update. Definitely
worth a read.
5/17/03 Windows update isn't always updating...
I've recently made a few additions to the site that I would like to point out.
1. I've added the .NET security page which contains links to .NET related documentation.
2. I added relevant newsgroups to the "Quick Links" pages towards the bottom right hand corner.
3. Added more documents to the library section of this website.
I will be adding Websphere, Weblogic, Oracle, Mysql, and IIS sections to this website. They
will have documents on security, tutorials, and downloads relevant to each product.
If there is anything on this website that you feel should be here
please Tell me.