Is it really a vulnerability just because you can see the pages?
I asked Russ Cooper of NTBugtraq fame that very question. Cooper noted, "The box may be secured, yet that page is exposed for some particular reason. It's not likely; it's more likely that it is an unsecured IIS box. If you are able to get that page, that means that that port is not being restricted. And that port should definitely be restricted."
A Microsoft spokesperson told NewsForge:
The administration pages you referred to are the password change scripts. These pages are not enabled with IIS 6.0 by default, and enabling this functionality requires additional configuration on the part of the machine administrator. Even when enabled, administrators have the option to choose a secure URL. Microsoft has tested the code extensively for cross-site script vulnerabilities and is not aware of any existing XSS issues.
Brute force attacks are not unique to Microsoft's password change scripts; they're common to any Web-based login application including many Web-based mail systems, e-commerce Web sites and intranet applications. In this specific instance, the account lock-out policy, which locks an account after a specified number of unsuccessful login attempts, is the most straightforward mitigation strategy.
|Click to enlarge|
Reporting the vulnerability
After finding the sites mentioned above, I spent considerable time and effort trying
It turns out I was going about the process of vulnerability notification all wrong. I should have gone to the United States Computer Emergency Readiness Team to report them.
More on Google hacking
As Johnny Long promised during Black Hat and Defcon, he made the latest version of his slide presentation on Google hacking available on his site this week. Unfortunately, it looks as if his site got defaced in response.