Vulnerability Development mailing list archives

Re: IIS 4.0 leaking files?

From: "Stanley G. Bubrouski" <stan () ccs neu edu>
Date: Fri, 3 Aug 2001 08:28:20 -0400 (EDT)


Well this is IIS 5.0's response to a request for HTML file with \
appended:
-----------------------------------------------------------------
GET /default.htm\ HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Fri, 03 Aug 2001 11:58:37 GMT
Content-Length: 3252
Content-Type: text/html
<snip>
-----------------------------------------------------------------

Two things to look at here, default.htm does exist and the webserver
reports the file is not found.  The Content-Type is therefore text/html
because it is spiting out the default MS 404 page.

Here is the servers response to the request without the \:
-----------------------------------------------------------------
GET /default.htm HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 03 Aug 2001 12:07:25 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 20 Feb 2001 10:35:10 GMT
ETag: "70fbd2cc289bc01:ab8"
Content-Length: 846
<snip>
------------------------------------------------------------------

And here is IIS 4.0's response to a request for HTML file with \
appeneded:

-----------------------------------------------------------------
GET /Default.htm\ HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Fri, 03 Aug 2001 12:11:28 GMT
Content-Length: 461
Content-Type: text/html
<snip>
-----------------------------------------------------------------

Here is the response of the same server without appending the \:
-----------------------------------------------------------------
GET /Default.htm HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Fri, 03 Aug 2001 12:11:37 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 12 Jun 2001 15:53:47 GMT
ETag: "2ec4a9dd57f3c01:104f"
Content-Length: 11770
<snip>
-----------------------------------------------------------------







On Fri, 3 Aug 2001, [iso-8859-1] Michel Arboi wrote:

 --- "Stanley G. Bubrouski" <stan () ccs neu edu> a ?crit?:

I can.  It is called normal dumb browser behaviour


No. This behaviour does not come from the browser. Try to telnet to
some IIS web server, send it a GET or a HEAD request on /index.htm and
/index.htm/ and see how the content type changes from "text/html" to
"application/octet-stream".
The server is doing this.
BTW, this work with \ or  / too.


Well actually yeah it does.  Older versions of netscape are broken.  Set
up the same environment the user who reported this had and you will see
netscape is incorrectly changing the mime-type, not the server.  Sometimes
servers do change the content-type of requested files but this is not a
default behaviour of IIS 4/5/6, it is cause by misconfiguration and by
some add-ons/extensions to the server which are inherently broken, but
again I do not believe that is the case here.

not big webserver security hole.


Well, I could not download any ASP with this. I did not try other
extensions.


Why bother, you think nobody else has tried? :P

The reason the file was downloaded is because netscape is
stupid.


No the reason is that IIS is buggy. Not a big bug apparently, but
something dirty.


IIS isn't just buggy, it's dangerous.  But the blame needs to go where it
belongs.  Old Netscape browsers.

/index.html/ which could be a valid directory...the webserver
however did remove the slash.


It removed the slash but somehow decided that the extension of the URI
was "html/". "htm" or "html" should be sent as "text/html", but it has
no rule for "html/"; so it reverts to the default
"application/octet-stream" type.
Just my 0.02 EUR


No.  First of all the default mime-type is text/html if it is
application/octet-stream the default has been modified.  And i windows
filenames cannot contain a '/' so if IIS recives a request that ends in a
'/' it assumes the characters preceding it are a directory.

IIS versions after 3.0 allow directories to have names like document.doc,
so appending a slash reurns not found if you append it to a filename:


-------------------------------------------------------------------
GET /default.htm/ HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Fri, 03 Aug 2001 12:14:19 GMT
Content-Length: 3252
Content-Type: text/html
-------------------------------------------------------------------

/default.htm exists but by adding a slash IIS is looking for a directory
named /default.htm/ and it is not found so it doesn't work.

hypoclear

I love that name, I'm making a nameplate and putting it on my door.


Could we have a discount if we buy several at once? :)


Absolutely not. :P

 

___________________________________________________________
Do You Yahoo!? -- Vos albums photos en ligne, 
Yahoo! Photos : http://fr.photos.yahoo.com


-Stan

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284

Current thread:

IIS 4.0 leaking files? hypoclear (Aug 02)
- Re: IIS 4.0 leaking files? ___cliff rayman___ (Aug 02)
- Re: IIS 4.0 leaking files? Ian Stoba (Aug 02)
- Re: IIS 4.0 leaking files? Stanley G. Bubrouski (Aug 02)
  - Re: IIS 4.0 leaking files? Michel Arboi (Aug 03)
    - Re: IIS 4.0 leaking files? Stanley G. Bubrouski (Aug 03)
- RE: IIS 4.0 leaking files? Colby Marks (Aug 02)
- <Possible follow-ups>
- RE: IIS 4.0 leaking files? Johnson, Michael (Aug 02)