Bugtraq mailing list archives
Handler Mapped File Extensions Bug
From: Tanstaafl () GEOCITIES COM (Tanstaafl)
Date: Wed, 25 Feb 1998 22:59:53 GMT
I've notice that their is a problem with the STM handler on some sites. Somebody in a previous mail posted:
And something else... I notice handler mapped file extensions reveal system file paths for web directories.. ie: try (.idq, .idc, .stm, .pl, .cgi) depending on what is mapped. example : http://www.microsoft.com/badidea.stm Returns "Error processing SSI file 'd:\http\badidea.stm'"
But it's even worse than that, if you take a simple URL, based on the above problem which I also discovered, like: http://www.victim.com/asp/something.stm/asp/Index.asp you get the raw asp code for the file INDEX.ASP (or anything else.) The handler returns the raw code of the file without going through PERL 5 (or the appropriate programming language), these leaves previously undiscovered problems open for attack. (Although most of the programs are well protected against buffer-overloads, these script can be read and the information gained can be used to "crack" the site.) A related problem is the ability to transfers the sub-directories, because the .STM file reads firstly what's in the http://www.victim.com/ you are able to go from 'd:\main\WWW\' to any other directory within this hierarchy. Example: http://www.victim.com/asp/something.stm Returns "Error processing SSI file 'd\main\WWW\something.stm'" http://www.victim.com/asp/something.stm/something.asp Returns the raw "something.asp" code in the directory 'd\main\WWW\' And, http://www.victim.com/asp/something.stm/asp/something.asp Returns the raw "something.asp" code in the directory 'd\main\WWW\asp\' This includes any other files you've included as information handlers, ( Java class files, VB files, etc...) even encrypted password files. As long as you know the file names you can access the raw code. (This also means you can download it.) I'd like to thank "Micha³ Zalewski" <lcamtuf () boss staszic waw pl> for his help in discovering this problem. I'll further investigate this problem. blaze your trail! -- David Dune Unsolicited commercial email read for $500 per message.
Current thread:
- Handler Mapped File Extensions Bug Tanstaafl (Feb 25)
- <Possible follow-ups>
- Re: Handler Mapped File Extensions Bug Darryl Braaten (Feb 26)
- Re: Handler Mapped File Extensions Bug Michal Zalewski (Feb 28)