home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Black Crawling Systems Archive Release 1.0
/
Black Crawling Systems Archive Release 1.0 (L0pht Heavy Industries, Inc.)(1997).ISO
/
advisories
/
ASP.TXT
next >
Wrap
Text File
|
1997-07-17
|
2KB
|
60 lines
L0pht Security Advisory
Advisory released Mar 19 1997
Application: Microsoft IIS 3.0
Vulnerability Scope: IIS 3.0 w/latest hot-fixes
dated Feb 27 14:22:00
Severity: Users can read the server side script
in .asp, .ht., .id, .PL files
Author: weld@l0pht.com
Overview:
Microsofts IIS 3.0 supports server side scripting using "Active Server
Pages" or .asp files. These files are meant to execute and not be
visible to the user. These scripts may contain sensitive information
such as SQL Server passwords. These files can be downloaded and
viewed instead of executed by replacing '.' in a URL with a '%2e'.
Description:
A problems was discovered in IIS 3.0 that allowed users to read the
contents of .asp files by appending a '.' or a series of '.'s to the
end of a URL:
http://www.mycompany.com/default.asp
becomes
http://www.mycompany.com/default.asp.
Microsoft acknowledged the problem and released a hot-fix patch to IIS 3.0.
This is available from
http://www.microsoft.com/iis/iisnews/hotnews/security.htm
This hot-fix solved the trailing '.' problem but opened up a new hole which
allows the same results - viewing the .asp file instead of executing it.
This is accomplished by replacing the '.' in the filename part of a URL
with a '%2e', the hex value for '.':
http://www.mycompany.com/default.asp
becomes
http://www.mycompany.com/default%2easp
Your browser will prompt you to save the file to disk where you can then
view the contents of the .asp file.
Web sites that have not installed the Microsoft IIS 3.0 hot-fix are not
affected by this problem although the trailing '.' method still works to
display the contents of the .asp file.
Microsoft has been notified of this problem.
---
Check out http://www.l0pht.com/advisories.html for other l0pht advisories
---