[3035] in bugtraq
Re: Microsoft IIS '..' Problem
daemon@ATHENA.MIT.EDU (John Ladwig)
Fri Jul 26 17:30:01 1996
Date: Fri, 26 Jul 1996 14:27:50 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: John Ladwig <jladwig@Soils.Umn.EDU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Thomas Lopatic's message
<199607261841.UAA08698@lionsden.informatik.uni-muenchen.de> of 26
July 1996
>>>>> On Fri, 26 Jul 1996 20:41:13 +0200, Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de> said:
TL> Sorry for not disclosing. I thought I had seen that one on
TL> bugtraq. Suppose there is a document
TL> 'http://dummy.com/Public/Index.htm' and 'Index.html' is
TL> 'C:\inetsrv\wwwroot\Public\Index.htm'. Then try getting
TL> 'http://dummy.com/Public/../../../autoexec.bat' which will
TL> give you 'C:\autoexec.bat'. It seems, however, that the first
TL> directory ('Public') will be necessary,
TL> i. e. 'http://dummy.com/../../autoexec.bat' won't work.
IIS 1.0c on NT 3.51 gives a "HTTP/1.0 400 Bad Request" when I try to
exploit this. I was working out of the IIS /samples/ directory in the
attacking URL.
-jml
