Re: IIS4.0 .inc files

["info.nl Security" <security () INFO NL>]

Hi Paul, Ollie, Chris a.o.,

of course, the only right thing to do would be to pull _all_ include files
out of IIS' VFS namespace. This way no-one could ever possibly succeed at
something like http://yourserver.org/somewhere/something.inc, because the
file simply cannot be reached directly through HTTP.

Use '#include file=' instead of '#include virtual=' from ASP and you should
be home free.

You would still have to be careful though not too supply any information
through error messages or ~handlers you build yourself to the browser. I
have seen marvellously crafted error handlers that simply give away *all*
the information you can think of for accessing the database behind the site
(password, info, servertype, ODBC library type, make, version, build,
NBTname, installdate/time, organization, and the list goes on and on).

Have fun ;o)
Ramses Rodenburg.

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Bruce Dang
Sent: Thursday, August 10, 2000 8:07 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject:


Paul,

I have seen this "bug" in IIS 4.0 before.  I think a friend of mine
exploited it a few months ago.  It has something to do with the NULL.HTW
file, it will reveal the passwords from the file (parsed on the server side
of course).  I never bothered to report it to MS sekurity cuz of laziness
:>.  I guess they will look into it now :<.  Thanks for bringing it up.

Cheers,

Bruce
----- Original Message -----
From: "Paul Rogers" <paul.rogers () MIS-CDS COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, August 08, 2000 8:28 AM


> Hi ppl,
>
> Can't seem to find any info about this on Microsoft's site or BugtraQ so I
> thought I'd post here.
>
> In certain IIS/4.0 configurations with ASP (assumption because the file
> seems to be an ASP include) and SQL Server running (unknown version),
> http://server/include/dbconfig.inc reveals the DSN, username and password
to
> the database being utilised by the website. Does anyone know about this
and
> under what configuration conditions does this occur? Or is just poor
> configuration on the IIS server revealing the include directory for ASP
> scripts run on the site? I think it maybe the latter but I'm no NT/IIS
> security guru.
>
> Sample output:
>
> <%
> Set Conn = Server.CreateObject("ADODB.Connection")
> Conn.Open "DSN=testdb;UID=user1;PWD=xxxx"
> ' Conn.Open "testsite"
>
> Set SQLConn = Server.CreateObject("ADODB.Connection")
> SQLConn.Open "DSN=testdb;UID=user1;PWD=xxxx"
>
> %>
>
> Cheers,
>
> Paul Rogers,
> Network Security Analyst.
>
> MIS Corporate Defence Solutions Limited
>
> Tel: +44 (0)1622 723422 (Direct Line)
> +44 (0)1622 723400 (Switchboard)
> Fax: +44 (0)1622 728580
> Website: http://www.mis-cds.com/
>
>
> **********************************************************************
> The information contained in this message or any of its attachments may be
privileged and confidential and intended for the exclusive use of the
addressee. If you are not the addressee any disclosure, reproduction,
distribution or other dissemination or use of this communications is
strictly prohibited.
> The views expressed in this e-mail are those of the individual and not
necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are
only valid if followed up by a formal written quote.
> If you have received this transmission in error, please contact our
Security Manager on 44 (0) 1622 723400.
> **********************************************************************


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com