[bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior)

[<ben.moeckel () badwebmasters net>]

badWebMasters security advisory #013 

IIS (patched) may execute any file in a ".asp"-directory (bad behavior) 

Discovery date: 2003-05-17 
  
Author:
ben moeckel (http://distressed.de)
mailto: badwebmasters () online de 
 
  
Description:
When a directory is named like an asp-file the asp engine will parse any
file in it, no matter what extension the file has.

This may be dangerous when users where able to create directories and
upload images in it, a malicious user could upload an asp- script with
the extension of an image and run it on the server. 
 
  
Exploit: 
Create the directory "test.asp" in your webroot and place the following
file in it:

-- exploit.gif ------------------------------------

        Hello world, I'm an image!

---------------------------------------------------
Open http://localhost/test.asp/exploit.gif in your browser and you
should read the message.
 
  
Live sample:
http://badwebmasters.net/advisory/013/test.asp/exploit.gif 
 
  
Vendor:
Microsoft has been contacted 06-16-03 via the webform about this bug. 
 
  
References:
aspforum.de "Verschickter IIS..." (german)
- http://aspforum.de/topic.asp?TOPIC_ID=13863

Path Parsing Errata in Apache
- http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html
 
  
Feedback:
Comments, suggestions, updates, anything else?
   -> mailto:badwebmasters () online de 
 
  
Source:
http://badwebmasters.net/advisory/013/ (text/html) 
 
  
_________________________________________

badWebMasters - ben moeckel security research
http://badwebmasters.de http://badwebmasters.net
copyright 2k1-3 by Benjamin Klimmek / Germany
mailto:badwebmasters () online de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html