Full Disclosure mailing list archives
Re: IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV
From: security curmudgeon <jericho () attrition org>
Date: Sun, 11 Sep 2005 01:03:41 -0400 (EDT)
Hi Jerome, : It is possible to remotely view the source code of web script files : though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be : vulnerable. The web script file must be on a FAT or a FAT32 volume, web : scripts located on a NTFS are not vulnerable. : : The information has been provided by Inge Henriksen : <mailto:inge.henriksen%20at%20booleansoft.com>. The original article can : be found at: : http://ingehenriksen.blogspot.com/2005/09/iis-51-allows-for-remote-viewing-of.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0778 IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. -- This appears to be the same issue? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV Jerome Athias (Sep 07)
- Re: IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV security curmudgeon (Sep 10)