Re: Weakness in default.asp [Hackemate.com Research]

[Thor () HammerofGod com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Just a quick reply... One should always turn off detail ODBC error logging 
on production systems.  When you do so, you would get a standard "Internal 
Server Error" by default rather than the detailed errors.  This is true for 
IIS 4.0 and 5.0.

hth



At 04:45 PM 11/12/2001 -0300, KeRoZeNe [Hackemate] wrote:


> When you ask for a certain URL, it shows the real path of
> the Web Site files in the server.
> It can be exploited this way:
> http://www.website.com/default.asp?sector=anything
>
> For example:
> http://www.tectimes.com/SistemaMas/default.asp?sector=lamers
>
> It will respond with the nexy data:
>
>
> error '80020009'
> Exception occurred.
>
> D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO/BWg4hsmyD15h5gEQI/swCgkwmsL96IF9dL/KK+NAE5CQEt1NAAniDQ
eORoCbZMaO+K91837kHdFmHB
=AOfB
-----END PGP SIGNATURE-----