Bugtraq mailing list archives
SV: IIS still revealing paths for web directories
From: kristoffer.ustad () WINGE NO (Kristoffer Ustad)
Date: Thu, 13 Jan 2000 09:09:02 +0100
In my opinion this is a big deal. Forgot the RDS exploit found by Greg Gonzalez? In the past months a great deal of webpages have been defaced. A majority of theme were hosted on IIS4 servers. r.f.p. wrote an exploit I think was called msadc.pl. What this exploit did was letting you into a cmd /c shell. issuing a "echo" command from this shell will able you to do uhm.. a whole lot. including overwriting the index.htm/l file. But, alot of lamers got their hands on this exploit, but they weren't able to locate the index file(a lot of people rewrote the exploit so that it scanned for the index file, probably using this bug http://www.microsoft.com/anything.ida) Kristoffer Ustad Computer Consultant(in need of job) Vanja Hrustic wrote:
This has been mentioned before, but it's probably good to remind Microsoft about some outstanding issues. Request : http://www.microsoft.com/anything.ida Response: The IDQ file d:\http\anything.ida could not be found. Request : http://www.microsoft.com/anything.idq Response: The IDQ file d:\http\anything.idq could not be found. Microsoft is running IIS5 The same problem still exists on IIS4 (tested with SP5 - didn't try on SP6). It's not really a big deal, but they should fix it. -- Vanja Hrustic The Relay Group http://relaygroup.com Technology Ahead of Time
*************************************************************************** This footnote confirms that this email message and any files transmitted with it has been swept by MIMEsweeper for the presence of computer viruses. ***************************************************************************
Current thread:
- Re: IIS still revealing paths for web directories Jonah Kowall (Jan 12)
- <Possible follow-ups>
- SV: IIS still revealing paths for web directories Kristoffer Ustad (Jan 13)
- Re: IIS still revealing paths for web directories Eric.Stevens () AVENTIS COM (Jan 13)
- Re: IIS still revealing paths for web directories Vanja Hrustic (Jan 15)
- Re: IIS still revealing paths for web directories Rob Systhine (Jan 14)
- Re: IIS still revealing paths for web directories Frank Knobbe at Home (Jan 15)
- Re: IIS still revealing paths for web directories Niklas Schiffler (Jan 18)
- IIS still revealing paths for web directories Michael Howard (Jan 17)
- Re: IIS still revealing paths for web directories Brock Tellier (Jan 18)
- Re: IIS still revealing paths for web directories Kevin Matthew (Jan 19)
- Re: IIS still revealing paths for web directories Michael Howard (Jan 20)