Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Weakness in default.asp [Hackemate.com Research]

From: "KeRoZeNe [Hackemate]" <krzn () softhome net>
Date: Mon, 12 Nov 2001 16:45:52 -0300
Research by www.hackemate.com

This weakness was found on some IIS 4.0 servers
with the next characteristics or similar:

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0
Date: Mon, 12 Nov 2001 19:24:52 GMT
Location: http://www.tectimes.com/ppal.asp
Connection: Keep-Alive
Content-Length: 153
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGQGQQQCI=CINJJCOADDBCMOCEILCBCCDB; path=/
Cache-control: private

When you ask for a certain URL, it shows the real path of
the Web Site files in the server.
It can be exploited this way:
http://www.website.com/default.asp?sector=anything

For example:
http://www.tectimes.com/SistemaMas/default.asp?sector=lamers

It will respond with the nexy data:


error '80020009'
Exception occurred.

D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74


As you can see, it reveals the real path of
the site directory.

The HTML code of the response:

<SCRIPT LANGUAGE="JavaScript">
function PopUp(destino)
{
        var ventana = window.open(destino, "_blank", 
"left=0,top=0,width=790,height=520,toolbar=no,location=no,status=yes,menubar=no,resizable=yes,scrollbars=yes");
}
function sugerencias(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 
'left=0,top=0,width=320,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=no')
}

function comentarios(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 
'left=0,top=0,width=340,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=yes')
}
</SCRIPT>
 <font face="Arial" size=2>error '80020009'</font>
<p>
<font face="Arial" size=2>Exception occurred.
</font>
<p>
<font face="Arial" size=2>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm</font><font face="Arial" size=2>, line 
74</font>

---------------
     I will keep on investigating this and send you some more
information as soon as I get it.
            Greetz from Argentina

KerozenE 1999-2001 c0oL!
ICQ: XXXXXXXX
*********************************
Webmaster of www.hackemate.com.ar
krzn () softhome net
*********************************
Moderator of HACKEMATE Security bulletin
http://www.eListas.net/lista/hackemate/alta
hackemate-alta () Elistas net
*********************************
Editor of the EZine HC&KTM
Http://www.hackemate.com.ar
hackemate-alta () Elistas net
*********************************
Previous By Date Next
Previous By Thread Next

Current thread: