[13330] in bugtraq
Re: IIS still revealing paths for web directories
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Thu Jan 13 15:20:54 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <387DA495.3E1C502C@nat.bg>
Date: Thu, 13 Jan 2000 12:10:29 +0200
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To: vanja@relaygroup.com
To: BUGTRAQ@SECURITYFOCUS.COM
Vanja Hrustic wrote:
>
> This has been mentioned before, but it's probably good to remind
> Microsoft about some outstanding issues.
>
> Request : http://www.microsoft.com/anything.ida
> Response: The IDQ file d:\http\anything.ida could not be found.
>
> Request : http://www.microsoft.com/anything.idq
> Response: The IDQ file d:\http\anything.idq could not be found.
>
> Microsoft is running IIS5
>
> The same problem still exists on IIS4 (tested with SP5 - didn't try on
> SP6).
>
> It's not really a big deal, but they should fix it.
>
This leads to a client side problem also.
The problem is IIS does not escape the response, so one may put some
HTML and javascript in the page returned from www.microsoft.com.
Vulnerabilities:
1) For IE (tested on 5.01, probably other versions) - if the user has
put www.microsoft.com in the Trusted sites security zone, then hostile
javascript and ActiveX may be executed in the Trusted sites security
zone.
2) It is possible to spoof www.microsoft.com by just clicking on a link.
There are probably other vulnerabilities.
Demonstration - click on the links, may also be invoked by javascript:
For IE:
http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location:"+window.location))%3E.ida
(I am surprised <IMG SRC="javascript:code"> does not work in IE, one
need to reload the page in order to make it executed)
For Communicator:
http://www.microsoft.com/%3CIMG%20SRC=javascript:alert("window.location:"+window.location)%3E.ida
Regards,
Georgi Guninski
http://www.nat.bg/~joro
