[25119] in bugtraq
RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
daemon@ATHENA.MIT.EDU (Randy Hinders)
Wed Apr 17 19:19:22 2002
From: "Randy Hinders" <rahinders@hotmail.com>
To: sflist@digitaloffense.net, bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Date: Wed, 17 Apr 2002 08:25:27 -0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F92SEs0wZPwW88XrFYC0000afe6@hotmail.com>
While checking various files and extensions I wanted to ensure that other
files were still "protected" from this. I was not able to read the
global.asa but was able to read (as expected) other asp pages..
http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/global.asa
Returned "View Active Server Page Source-- Access Denied" to the browser.
http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/iisstart.asp
Returned the source code to the browser.
Yes, the IISSAMPLES and all other SDK items should never be installed on a
production machine, but should a client upload this code to a shared hosting
environment where the global.asa is properly protected with NTFS permissions
they will not be able to gain access to the source code through this method.
HTH
Randy Hinders
MCT (ret.), MCSE, MCP +I & A+
NT Systems Administrator
DONet, Inc
www.donet.com
www.adsi4nt.com
~~Hoka Hey, Lakotas~~
-----Original Message-----
From: H D Moore [mailto:sflist@digitaloffense.net]
Sent: Tuesday, April 16, 2002 11:01 PM
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Subject: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
--[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
Summary:
Microsoft's IIS 5.0 web server is shipped with a set of
sample files to demonstrate different features of the ASP
language. One of these sample files allows a remote user to
view the source of any file in the web root with the extension
.asp, .inc, .htm, or .html. The IISSamples virtual directory
should not be left on production servers in the first place,
but until now there were no serious[1] vulnerabilities found in
those sample scripts. Microsoft was _not_ contacted about
this, they can read the lists like everyone else. This is an
issue that can be fixed by proper system administration.
<snip>
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
