Vulnerability Development mailing list archives
Re: .htr bug still exist after applying MS patches.
From: Maher Odeh <rax () NETVISION NET IL>
Date: Mon, 5 Feb 2001 09:48:41 +0200
how about removing the .htr extentions and saving yourself alot of trouble ? Maher Odeh NetVision Security Team Cell Phone : 050 936 107 On-Line Transcript : http://www.brainbench.com/transcript.jsp?pid=710078 -----Original Message----- From: System1 [mailto:System () tiemiddleeast com] Sent: Tuesday, January 30, 2001 2:15 PM To: VULN-DEV () SECURITYFOCUS COM Subject: .htr bug still exist after applying MS patches. hi, MS01-004 is out. I sent few days ago this letter to microsoft: -----Original Message----- From: Moran [mailto:Moran () TIEMIDDLEEAST com] Sent: Saturday, January 20, 2001 4:55 PM To: secure () microsoft com Subject: .htr bug still exist after applying MS patches. Hi, I have server running win2000 adv. server with IIS 5. I have applied all relevant MS patches. after I did it I checked for security problems and did as follow: https://mysite/checkuser.asp <https://mysite/checkuser.asp> (the asp making a check with the SQL server for user name and password and i get error of unknown login ID. thats fine.) BUT when I did: https://mysite/checkuser.asp%3F+.htr <https://mysite/checkuser.asp%3F+.htr> I get blank page and when I view the source I get this line: <!--#include file="Conn.asp"--> so attacker now can know in which file my DSN details are located. what im worried about is that attacker can imporve this method to show the full asp file source. notice that I added all MS patches and I can still do it. is there any specific patch to prevent this ? please let me know ASAP. thanks, Moran Zavdi Systems Administrator TIE Middle East Ltd. Phone: (972)-9-9501113 mailto:moran () tiemiddleeast com <mailto:moran () tiemiddleeast com>
Current thread:
- .htr bug still exist after applying MS patches. System1 (Feb 04)
- <Possible follow-ups>
- Re: .htr bug still exist after applying MS patches. Maher Odeh (Feb 05)
- Re: .htr bug still exist after applying MS patches. Moran (Feb 05)
- Re: .htr bug still exist after applying MS patches. Maher Odeh (Feb 06)