- IIS

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IIS


SYSTEMS AFFECTED

  Win NT 4.0 (server)

  

PROBLEM


    The following  text is  part of  L0pht Security  Advisory and it's

    author is weld@l0pht.com.  It is  based on ASP attack and MS patch 

    opened a new hole.  L0pht SA are placed on 



    http://www.l0pht.com/advisories.html



    Microsofts IIS  3.0 supports  server side  scripting using "Active

    Server Pages" or .asp files. These files are meant to execute  and

    not be visible  to the user.  These scripts may  contain sensitive

    information  such  as  SQL  Server  passwords.  These files can be

    downloaded and viewed  instead of executed  by replacing '.'  in a

    URL with a '%2e'.  Severity: Users can read the server side script

    in .asp, .ht., .id, .PL files



    This problems  discovered in  IIS 3.0  allowed users  to read  the

    contents of .asp files by appending  a '.' or a series of  '.'s to

    the end of a URL:



        http://www.mycompany.com/default.asp



    becomes



        http://www.mycompany.com/default.asp.



    Microsoft acknowledged the problem and released a hot-fix patch

    to IIS 3.0.  This is available from:



        http://www.microsoft.com/iis/iisnews/hotnews/security.htm



    This hot-fix solved the trailing  '.' problem but opened up  a new

    hole  which  allows  the  same  results  -  viewing  the .asp file

    instead of executing it.



    This is accomplished by replacing the '.' in the filename part  of

    a URL with a '%2e', the hex value for '.':



        http://www.mycompany.com/default.asp



    becomes



        http://www.mycompany.com/default%2easp



    Your browser will prompt  you to save the  file to disk where  you

    can then view the contents of the .asp file.



    Web sites that  have not installed  the Microsoft IIS  3.0 hot-fix

    are not affected by this problem although the trailing '.'  method

    still works to display the contents of the .asp file.



    Interesting thing happend when  MS announced that they  fixed this

    bug.  After that Dick van den Burg tried to reproduced same  thing

    on MS web site but this time failed.  Anyway, imagination said  do

    it this way:



        http://www.microsoft.com/default%2e%41sp.



    and did allow him to retrieve the .asp file.





EXPLOIT

  

SOLUTION


    Microsoft has been notified of this problem.  Hot-fix is expected.