SV: The good , the bad, the IIS. (%3F Weirdness)

["Stefan Sundkvist" <stefan.sundkvist () spray se>]

Well i have no more clue of hotfixes but there seems to be other
problems with %3F and jsp. And am sorry if this is old.

I just tryed this on my IIS5 sp2 with most hotfixes and Resin 2.0.1
installed.

http://server/default.asp%3F.jsp

And it just droped me the asp source. Got similar result with alliere
jrun.

I think i seen a post here somewhere about %3F.jsp gets you a filelist
if you try something like http://server/%3F.jsp to.

A fix for it seems to be to set the rights on the site to Script only.

Regards,

Stefan Sundkvist

-----Ursprungligt meddelande-----
Från: jesperht () hotmail com [mailto:jesperht () hotmail com] 
Skickat: den 5 januari 2002 18:15
Till: vuln-dev () securityfocus com
Ämne: The good , the bad, the IIS. (%3F Weirdness)




*I have no clue if this is a new bug or not due to my 

lack of hotfixes, but here it goes!*



Hello fellow vuln-dev'ers,

Here is a srange bug ive found on my test server:



Microsoft Windows 2000 [Version 5.00.2195]  

(service pack 2)



Making the following request:



http://bender/global.asa%3f.htr



Adding a %3f.htr at the end seems to yield its source 

code.  Because this is a default install, all that it 

contains is the following:



<OBJECT RUNAT=Server SCOPE=Session 

ID=MyInfo PROGID="MSWC.MyInfo">

</OBJECT>

   

Ive tried appending  %3f.htr to iisstart.asp (another 

default file), but that does not reveal a thing.  

Renaming iisstart.asp to iisstart.asa and trying to 

view its source does not work then either.  I cant find 

any logic behind this. Please give this a shot, play 

with this, and send in your results/thoughts!



Best Regards,

-Scarabus