[15824] in bugtraq

home help back first fref pref prev next nref lref last post

ISBASE Security Advisory(SA2000-02)

daemon@ATHENA.MIT.EDU (Warning3)
Tue Jul 18 04:34:57 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id:  <200007171410.WAA04988@localhost.localdomain>
Date:         Tue, 18 Jul 2000 10:15:56 +0800
Reply-To: warning3@mail.com
From: Warning3 <warning3@MAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

ISBASE Security Advisory(SA2000-02)


Topic: IIS ISM.DLL truncation exposes file content

Release Date: July 17, 2000


Affected software version:
===========================

Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0

Platform:
==========

Windows NT 4.0 and Windows 2000


Impact:
=========

Isbase security team has found a security flaw in Microsoft  IIS 4.0/5.0 .
Attacker can obtain the contents of certain types of files (.asp,.asa,.ini...)
in Microsoft Internet Information Server 4.0 or 5.0. Normally attacker should
not be able to access the contents of those files. Attacker could get some
sensitive data contained in those files.

Description:
==============

By requesting an existing filename (for example, global.asa) with an appendage
of "+" and extention of ".htr"  from Microsoft Internet Information Server
4.0/5.0 , IIS will be tricked to call ISM.DLL ISAPI application to deal with
this request. When "+" is found in the filename, ISM.DLL will truncate the
"+.htr" and open the target file(global.asa). If the target file is not ".htr"
file , part of target file source code will be exposed to the attacker. For
example, attacker can retrieve the content of global.asa which often contains
some sensitive information such as SQL server's username and password.



Exploit:
==========
Put this URL  in your browser and view the source code of returned page:

http://www.victim.com/global.asa+.htr

Workaround:
===========
If you don't need HTR functionality , remove the script mapping for HTR.

Solution:
===========
Microsoft has  been informed and released one security bulletin concerning this
flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS00-044.asp

Patches are available at:

IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708



Isbase Security Team <security@isbase.com>

ISBASE INFORMATION TECHNOLOGY CO.,LTD
(http://www.isbase.com)
home help back first fref pref prev next nref lref last post