strange urlscan behaviour

From: Marco van Berkum (m.v.berkum@obit.nl)
Date: Tue Mar 18 2003 - 06:21:38 EST


Hi,

while pentesting a remote customer I came across this issue:

$ telnet somehost 80
Trying xxx.xxx.xxx.xxx...
Connected to somehost.
Escape character is '^]'.
SEARCH / HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Cache-Control: no-cache,no-transform
Expires: Tue, 18 Mar 2003 10:49:32 GMT
Content-Location:
http://xxx.xxx.xxx.xxx/intro.htm?404;http://xxx.xxx.xxx.xxx/>?~/
Vary: *
Date: Tue, 18 Mar 2003 10:49:32 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 302

<HTML>
bladiebla text text
</HTML>
Connection closed by foreign host.
$

This site is using lockdown but what suprised me a bit is that its nicely
telling me that its using urlscan in the Content-Location header.
It exposes this information by using the SEARCH, TRACE, PROPFIND
and PROPPATCH option, any other requests do not expose 'interesting'
information in the Content-Location header.

according to the OPTIONS request these options are allowed:

Public: OPTIONS, TRACE, GET, HEAD, POST
Allow: OPTIONS, TRACE, GET, HEAD

I was not able to produce this on other machines.
Any hints on what might be causing this ?

Cheers,
Marco van Berkum

--
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum@obit.nl / http://ws.obit.nl |
 ----------------------------------------
----------------------------------------------------------------------------
Did you know that you have VNC running on your network? 
Your hacker does. Plug your security holes now! 
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT