Bugtraq mailing list archives
Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 16 Apr 2002 22:01:19 -0500
--[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure
Summary:
Microsoft's IIS 5.0 web server is shipped with a set of
sample files to demonstrate different features of the ASP
language. One of these sample files allows a remote user to
view the source of any file in the web root with the extension
.asp, .inc, .htm, or .html. The IISSamples virtual directory
should not be left on production servers in the first place,
but until now there were no serious[1] vulnerabilities found in
those sample scripts. Microsoft was _not_ contacted about
this, they can read the lists like everyone else. This is an
issue that can be fixed by proper system administration.
Solution:
Remove the /IISSamples virtual directory using the Internet
Services Manager. If for some reason this is not possible,
removing the following ASP script will fix the problem:
This path assumes that you installed IIS in c:\inetpub
c:\inetpub\iissamples\sdk\asp\docs\CodeBrws.asp
Details:
The IIS developers actually put some thought into securing
this sample script. Unfortunately for them and their user
base, they didn't take into account the Unicode character
set when checking the path passed to the script.
The function fValidPath in CodeBrws.asp has the following
comment placed above it:
REM **************************************
REM intended behavior:
REM allow access to only .asp, .htm, .html, .inc files
REM in some directory starting from /IISSAMPLES
REM and without .. in the path
REM **************************************
The fValidPath function first checks to see if the base
directory starts with "/IISSAMPLES", then verifies that the
last characters of the request are one of the allowed
extensions, and finally checks to see if the ".." sequence is
anywhere in the string.
The problem is that ".." can be represented a number of other
ways using the Unicode character set. For instance, the
sequence %c0%ae%c0%ae will be decoded as two periods by IIS,
but will not be caught by the InStr(1,strPath,"..",1) code in
the ASP script. So to create a request which passes the input
filters but retrieves the source of default.asp...
/iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp
[1] While all versions of IIS previous to 5.0 had significant problems
with the bundled sample scripts, 5.0 has only had a couple information
gathering issues to date. Due to the lowered risk, many administrators
have left the iissamples virtual directory mapped on their
production servers.
Current thread:
- Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Joe Testa (Apr 17)
- <Possible follow-ups>
- RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Randy Hinders (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Chris Anley (Apr 18)
- Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure H D Moore (Apr 17)