From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of 3APA3A > Sent: wtorek, 29 lutego 2000 20:12 > To: BUGTRAQat_private > Subject: IIS dosn't check existance of local file before calling CGI > > > Hello, > > There is another one way to retrieve a full path to local files in > IIS4: > > If there is external CGI application configured for some file type > and this application doesn't produce correct HTTP headers IIS > generates an error with output of application (both stdout and > stderror). The problem is, that IIS doesn't check existance of the > requested file before calling CGI application. Hello you can set IIS to verify that requested file (CGI script) exits, before it calls external application. It's recommended that you always set this option on (AFAIR it's set by ActivePerl setup for .pl files) , however Microsoft own ISAPI applications do not have it set by default - administrator has to do it himself . IMHO nothing bad about it - anyway he/she must take some actions to fortify IIS4, as its default installation is not even supposed to be secure. All necessary steps are well described in MS whitepaper (but I do not remember what it says about his particular option :-/ ). Here goes example: 1) option "check that file exists" is NOT set, called external CGI (not ISAPI) application (behavior described by 3APA3A ) <head><title>Error in CGI Application</title></head> <body><h1>CGI Error</h1>The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:<p><p><pre>Can't open perl script "C:\InetPub\wwwroot\cgi-bin\nosuchfile.pl": No such file or directory </pre> 2) option "check that file exists" IS set , called external CGI (not ISAPI) application: <html><head><title>Error 404</title> <meta name="robots" content="noindex"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"></head> <body> <h2>HTTP Error 404</h2> <p><strong>404 Not Found</strong></p> <p>The Web server cannot find the file or script you asked for. Please check the URL to ensure that the path is correct.</p> <p>Please contact the server's administrator if this problem persists.</p> </body></html> If application called is a "script engine" (ISAPI application - as ASP and SSI is) AND option "check that file exists" is NOT set, you will receive response specific to this particular ISAPI application (usually error 404, eventually some kind of invalid response). Probably this is why MS does not set this option for own ISAPI applications - these are supposed to return error 404 on their own. Well, it reminds me well known buffer overflow in ism.dll - which could not be exploited if IIS verifies that requested .htr file exists, before calling ISAPI. I believe that what 3APA3A descriped is rather result of poor administration practices, not error in IIS implementation Regards B. Kozicki
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:36 PDT