Vulnerability Development mailing list archives
Weakness in default.asp [Hackemate.com Research]
From: "KeRoZeNe [Hackemate]" <krzn () softhome net>
Date: Mon, 12 Nov 2001 16:45:52 -0300
Research by www.hackemate.com This weakness was found on some IIS 4.0 servers with the next characteristics or similar: HTTP/1.1 302 Object moved Server: Microsoft-IIS/4.0 Date: Mon, 12 Nov 2001 19:24:52 GMT Location: http://www.tectimes.com/ppal.asp Connection: Keep-Alive Content-Length: 153 Content-Type: text/html Set-Cookie: ASPSESSIONIDGQGQQQCI=CINJJCOADDBCMOCEILCBCCDB; path=/ Cache-control: private When you ask for a certain URL, it shows the real path of the Web Site files in the server. It can be exploited this way: http://www.website.com/default.asp?sector=anything For example: http://www.tectimes.com/SistemaMas/default.asp?sector=lamers It will respond with the nexy data: error '80020009' Exception occurred. D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74 As you can see, it reveals the real path of the site directory. The HTML code of the response: <SCRIPT LANGUAGE="JavaScript"> function PopUp(destino) { var ventana = window.open(destino, "_blank", "left=0,top=0,width=790,height=520,toolbar=no,location=no,status=yes,menubar=no,resizable=yes,scrollbars=yes"); } function sugerencias(d) { var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=320,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=no') } function comentarios(d) { var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=340,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=yes') } </SCRIPT> <font face="Arial" size=2>error '80020009'</font> <p> <font face="Arial" size=2>Exception occurred. </font> <p> <font face="Arial" size=2>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm</font><font face="Arial" size=2>, line 74</font> --------------- I will keep on investigating this and send you some more information as soon as I get it. Greetz from Argentina KerozenE 1999-2001 c0oL! ICQ: XXXXXXXX ********************************* Webmaster of www.hackemate.com.ar krzn () softhome net ********************************* Moderator of HACKEMATE Security bulletin http://www.eListas.net/lista/hackemate/alta hackemate-alta () Elistas net ********************************* Editor of the EZine HC&KTM Http://www.hackemate.com.ar hackemate-alta () Elistas net *********************************
Current thread:
- Weakness in default.asp [Hackemate.com Research] KeRoZeNe [Hackemate] (Nov 12)
- Re: Weakness in default.asp [Hackemate.com Research] Thor (Nov 12)