Hi, I'm sorry if this is old or has been discussed before or it is even not a bug...But.I have a system with IIS 4.0 installed + sp5 and i noticed something.If a user has on his page a file misc.lnk wich was created in his own probably NT box, and this file points anywhere on the web servers file,then when he will try to view the file he will be able to see the contents of the file the .lnk points to. Example xploit: Find a web hosting site,create a fictious account , make a shortcut of a file you would like to see ex. c:\winnt\profiles\administrator\ntuser.dat upload the .lnk file to the web server and then go ask for it.Answer yes to open the file remotely ( or something like that). Now the q: Is it a feature of IIS to follow links? or is it a bug. PS. I thought this thing over and i couldn't find a help with closing link-following. With regards Mig
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:14 PDT