Re: IIS 4.0 leaking files?

["Stanley G. Bubrouski" <stan () ccs neu edu>]

On 2 Aug 2001, hypoclear wrote:

> I posted this to bugtraq, but I'm not sure if it 
> will be posted, so I will post here too...

It won't be.  If this was posted to Bugtraq I would expect the next event
to occur would be hell freezing over and the end of the world.

> ---
> I recently viewed a web page on a server running 
> IIS 4.0 and accidently appended a \
> after the url. This to my suprise caused the page 
> to download. This occured under
> Netscape 4.6 (IE5 appears to ignore the \). I was 
> wondering if anyone else could
> confirm this behavior. It is not my server so I 

I can.  It is called normal dumb browser behaviour, not big webserver
security hole.  You want a hole, dig one, you are going nowhere with this.

> cannot do extensive testing on it, so I'm
> bringing it to the community. The file that 
> downloaded was a .html file, however I am
> curious if appending a \ has the possibility of 
> downloading .asp's or .cgi's. If that was

Why not try it? You'd see that it doesn't work.  The only time appending
characters to the end of an ASP would download it would be if the person
was running IIS 4.0 and the ASP resided on a mapped drive and the admin
didn't install a patch from way back in 98.  I doubt that is the case
here.  The reason the file was downloaded is because netscape is
stupid.  End of story.  IE didn't download the file not because it ignored
the slash...when you add a slash it assumes you want the directory
/index.html/ which could be a valid directory...the webserver however did
remove the slash.

> true it would be a definite security hole. Email 
> me hypoclear () jungle net or the list with
> any findings.

Good call.

> hypoclear

I love that name, I'm making a nameplate and putting it on my door.

-Stan

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284