Full Disclosure mailing list archives
[bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior)
From: <ben.moeckel () badwebmasters net>
Date: Sun, 3 Aug 2003 14:00:02 +0200
badWebMasters security advisory #013 IIS (patched) may execute any file in a ".asp"-directory (bad behavior) Discovery date: 2003-05-17 Author: ben moeckel (http://distressed.de) mailto: badwebmasters () online de Description: When a directory is named like an asp-file the asp engine will parse any file in it, no matter what extension the file has. This may be dangerous when users where able to create directories and upload images in it, a malicious user could upload an asp- script with the extension of an image and run it on the server. Exploit: Create the directory "test.asp" in your webroot and place the following file in it: -- exploit.gif ------------------------------------ Hello world, I'm an image! --------------------------------------------------- Open http://localhost/test.asp/exploit.gif in your browser and you should read the message. Live sample: http://badwebmasters.net/advisory/013/test.asp/exploit.gif Vendor: Microsoft has been contacted 06-16-03 via the webform about this bug. References: aspforum.de "Verschickter IIS..." (german) - http://aspforum.de/topic.asp?TOPIC_ID=13863 Path Parsing Errata in Apache - http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html Feedback: Comments, suggestions, updates, anything else? -> mailto:badwebmasters () online de Source: http://badwebmasters.net/advisory/013/ (text/html) _________________________________________ badWebMasters - ben moeckel security research http://badwebmasters.de http://badwebmasters.net copyright 2k1-3 by Benjamin Klimmek / Germany mailto:badwebmasters () online de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior) ben.moeckel (Aug 03)