| ||
Reference | Link |
---|---|
Relevant Security Advisories | |
Microsoft Security Bulletin MS04-011, SSL PCT Buffer Overflow | http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx |
"Multiple Vulnerabilities in Sun-One Application Server," includes a log evasion issue | http://www.spidynamics.com/spilabs/advisories/sun-one.html |
"Preventing Log Evasion in IIS," by Robert Auger | http://www.webappsec.org/projects/articles/082905.shtml |
TRACK Log Bypass | http://secunia.com/advisories/10506/ |
BEA WebLogic Advisory | http://dev2dev.bea.com/pub/advisory/65 |
Apache Mailing Listsrecommend subscription to announcements to receive security bulletin information | http://httpd.apache.org/lists.html |
PHPXMLRPC Remote PHP Code Injection Vulnerability | http://www. hardened -php.net/advisory_152005.67.html |
PEAR XML_RPC Remote PHP Code Injection Vulnerability | http://www.hardened-php.net/advisory_142005.66.html |
phpAdsNew XML-RPC PHP Code Execution Vulnerability | http://secunia.com/advisories/15883/ |
A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications | http://hcs. harvard .edu/~acctserv/help/studyinscarlet.txt |
PEAR XML-RPC patch | http://pear.php.net/package/XML_RPC/ |
XML-RPC for PHP patch | http://phpxmlrpc. sourceforge .net |
WebInsta patch | http://www.webinsta.com/downloadm.html |
Published Exploits | |
Microsoft PCT buffer overflow | www.k-otik.com |
Free Tools | |
jad, the Java disassembler | |
Apache ModSecurity | http://www.modsecurity.org |
ModChroot | http:// core .segfault.pl/~hobbit/mod_chroot/ |
Apache chroot(2) patch by Arjan De Vet | http://www.devet.org/apache/chroot/ |
Apache SuExec documentation | http://httpd.apache.org/docs/ |
The Center for Internet Security (CIS) Apache Benchmark tool and documentation | http://www.cisecurity.org/bench_apache.html |
Microsoft Update Service | |
Microsoft IISLockdown and URLScan tools | http://www.microsoft.com/ |
Cygwin | http://www.cygwin.com/ |
Commercial Tools | |
CORE IMPACT, a penetration testing suite from Core Security Technologies | http://www.corest.com/ |
CANVAS Professional, an exploit development framework from Immunity | http://www.immunitysec.com |
General References | |
IIS Security Checklist | http://www.microsoft.com/security |
URLScan Information Page | http://www.microsoft.com/technet/security/tools/urlscan.mspx |
"Preventing Log Evasion in IIS" | http://www.webappsec.org/projects/articles/082905.shtml |
"Securing Apache: Step By Step," by Ryan C. Barnett | http://www.cgisecurity.com/lib/ryan_barnett_gcux_practical.html |
Bastille Linux Hardening Program | http://www.bastille-linux.org |
Apache Security by Ivan Ristic (O'Reilly) | http://www.apachesecurity.net/ |
| ||