The bad news is that I knocked one of my client’s production customer-facing web servers offline, but the good news is that I found a security hole you could drive a Hummer through sideways.
When doing some real basic (authorized and approved) security testing of a recently updated IIS6 server app, things were going fine when…whammo ‘Service Not Available’. (The web server went offline).
Oh {bleeeeeeeppp}! (insert expletive here).
Never in a million years expected that a couple of parameters thrown at a ClearTrust login page would kill the IIS service (yikes). This was not a pen-test, or anything to force buffer overflows, just some really very basic script-kiddie-101 parameter tampering….
The server guy was halfway home when he had to turn around to return to the office to restart the IIS service….I apologized and bought him lunch, so hopefully he won’t slash my tires or anything.
I was able to replicate this on a dev server, and I was able to use my ‘get out of jail free’ card, so all is well….. 🙂
To quote the words of the late-great Benny Hill: “Do unto others, then run”