Microsoft IIS 5.0 CodeBrws.asp Source Disclosure

From: H D Moore (sflistat_private)
Date: Tue Apr 16 2002 - 20:01:19 PDT

Next message: H. Peter Anvin: "Mailman/Pipermail private mailing list/local user vulnerability"

Previous message: Eugene Medynskiy: "Re: Ability to read buddy list of AIM users"
Next in thread: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Randy Hinders: "RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure

Summary:

        Microsoft's IIS 5.0 web server is shipped with a set of
        sample files to demonstrate different features of the ASP
        language. One of these sample files allows a remote user to
        view the source of any file in the web root with the extension
        .asp, .inc, .htm, or .html. The IISSamples virtual directory
        should not be left on production servers in the first place,
        but until now there were no serious[1] vulnerabilities found in
        those sample scripts. Microsoft was _not_ contacted about
        this, they can read the lists like everyone else. This is an
        issue that can be fixed by proper system administration. 

Solution:

        Remove the /IISSamples virtual directory using the Internet
        Services Manager. If for some reason this is not possible,
        removing the following ASP script will fix the problem: 
        
        This path assumes that you installed IIS in c:\inetpub
        
            c:\inetpub\iissamples\sdk\asp\docs\CodeBrws.asp
        
Details:

        The IIS developers actually put some thought into securing
        this sample script. Unfortunately for them and their user
        base, they didn't take into account the Unicode character
        set when checking the path passed to the script.

        The function fValidPath in CodeBrws.asp has the following
        comment placed above it:
        
        REM **************************************
        REM  intended behavior:
        REM allow access to only .asp, .htm, .html, .inc files
        REM in some directory starting from /IISSAMPLES
        REM and without .. in the path
        REM **************************************      

        The fValidPath function first checks to see if the base
        directory starts with "/IISSAMPLES", then verifies that the
        last characters of the request are one of the allowed
        extensions, and finally checks to see if the ".." sequence is
        anywhere in the string. 
        
        The problem is that ".." can be represented a number of other
        ways using the Unicode character set. For instance, the
        sequence %c0%ae%c0%ae will be decoded as two periods by IIS,
        but will not be caught by the InStr(1,strPath,"..",1) code in
        the ASP script. So to create a request which passes the input
        filters but retrieves the source of default.asp...
        
        /iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp


[1] While all versions of IIS previous to 5.0 had significant problems
with the bundled sample scripts, 5.0 has only had a couple information 
gathering issues to date. Due to the lowered risk, many administrators
have left the iissamples virtual directory mapped on their
production servers.

Next message: H. Peter Anvin: "Mailman/Pipermail private mailing list/local user vulnerability"
Previous message: Eugene Medynskiy: "Re: Ability to read buddy list of AIM users"
Next in thread: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Randy Hinders: "RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 00:09:56 PDT