Vulnerability Development mailing list archives
Re: your mail
From: El Nahual <nahual () S0D SAL ITESM MX>
Date: Fri, 11 Aug 2000 04:26:30 -0800
On Wed, 9 Aug 2000, Bruce Dang wrote:
Paul, I have seen this "bug" in IIS 4.0 before. I think a friend of mine exploited it a few months ago. It has something to do with the NULL.HTW file, it will reveal the passwords from the file (parsed on the server side of course). I never bothered to report it to MS sekurity cuz of laziness :>. I guess they will look into it now :<. Thanks for bringing it up. Cheers, Bruce
One thing tht was never stressed enough about null.htw is that was reported to be able to see .asp and .css files, well .asa files can also be seen, so there is how sql login/names are taken, I can't stress enough this to all the customers we have. Having your global.asa file seen is not very cool if you use databases ;P ... just my 2 cents ... Enrique Sanchez Security Consultant http://www.s0d.org
Current thread:
- [no subject] Paul Rogers (Aug 09)
- Re: IIS/4.0 ASP include files Arturo Busleiman (Aug 10)
- [no subject] Bruce Dang (Aug 10)
- Re: your mail El Nahual (Aug 14)
- Out of Topic But Interesting "Hacker Humor" Matthew F. Caldwell (Aug 14)
- Re: IIS4.0 .inc files info.nl Security (Aug 15)
- Re: your mail El Nahual (Aug 14)