Vulnerability Development mailing list archives
RE: IIS 4.0 leaking files?
From: "Colby Marks" <Colby () DigitalJunction Com>
Date: Thu, 2 Aug 2001 20:22:00 -0400
I could not reproduce this on IE 5.5 Win2k Svr or Netscape 4.7 I tested asp files on IIS5 SP2 and IIS5 SP1 win2k Svr. -Colby -----Original Message----- From: hypoclear () jungle net [mailto:hypoclear () jungle net] Sent: Thursday, August 02, 2001 2:46 PM To: vuln-dev () securityfocus com Subject: IIS 4.0 leaking files? I posted this to bugtraq, but I'm not sure if it will be posted, so I will post here too... --- I recently viewed a web page on a server running IIS 4.0 and accidently appended a \ after the url. This to my suprise caused the page to download. This occured under Netscape 4.6 (IE5 appears to ignore the \). I was wondering if anyone else could confirm this behavior. It is not my server so I cannot do extensive testing on it, so I'm bringing it to the community. The file that downloaded was a .html file, however I am curious if appending a \ has the possibility of downloading .asp's or .cgi's. If that was true it would be a definite security hole. Email me hypoclear () jungle net or the list with any findings. hypoclear
Current thread:
- IIS 4.0 leaking files? hypoclear (Aug 02)
- Re: IIS 4.0 leaking files? ___cliff rayman___ (Aug 02)
- Re: IIS 4.0 leaking files? Ian Stoba (Aug 02)
- Re: IIS 4.0 leaking files? Stanley G. Bubrouski (Aug 02)
- Re: IIS 4.0 leaking files? Michel Arboi (Aug 03)
- Re: IIS 4.0 leaking files? Stanley G. Bubrouski (Aug 03)
- Re: IIS 4.0 leaking files? Michel Arboi (Aug 03)
- RE: IIS 4.0 leaking files? Colby Marks (Aug 02)
- <Possible follow-ups>
- RE: IIS 4.0 leaking files? Johnson, Michael (Aug 02)