I am killing this thread. This is degenerating into the old Full Disclosure debate. To answer Darren, yes there is a public vulnerability database. Check out the one at Security Focus (http://www.securityfocus.com/). Finally, we have received via an anonymous source the details of the vulnerability. From the SF vulnerability database: This vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows: IIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:42 PDT