Bugtraq mailing list archives
Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
From: mitja.kolsek () IJS SI (Mitja Kolsek)
Date: Tue, 25 Feb 1997 09:24:22 +0100
I suppose there's a simpler solution for those who want to protect their asp, .idc & .htx files that are so well mixed among regular .htm files. In your registry, under IIS ScriptMapping (HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/Parameters/Scrip tMapping) (could be this is not _quite_ exact, but you'll find it) Create a string value named ".ASP." (note the ending dot) and copy its data from ".ASP" value already present in this registry key if you're running IIS 3.0. This successfully renders the 'dot attack' ineffective. Apply this procedure to all script extensions. Nevertheless I suggest moving all script files to a separate folder, so use this technique only as a temporary measure. There will soon be another security hole in the wild so it's better to be prepared. Mitja Kolsek ---------- From: Mark Joseph Edwards <mark () ntshop net> To: 'bugtraq () netspace org' Cc: 'ntbugtraq () rc on ca'; 'ntsecurity () iss net' Subject: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Date: Thursday, February 20, 1997 6:39 PM MICROSOFT IIS AND ACTIVE SERVER ADVISORY Security Hole in ASP Discovered in Microsoft ASP February 20, 1997 DESCRIPTION A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan T. Llibre <j.llibre () codetel net do>. This hole allows Web clients to download unprocessed ASP files potentially exposing user ids and passwords. ASP files are the common file type used by Microsoft's IIS and Active Server to perform server-side processing. HOW IT WORKS To download an unprocessed ASP file, simply append a period to the asp URL. For example: http://www.domain1.com/default.asp becomes http://www.domain1.com/default.asp. With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed.
Current thread:
- Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Paul Leach (Feb 20)
- <Possible follow-ups>
- Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Mitja Kolsek (Feb 25)