Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure

From: H D Moore (hdmat_private)
Date: Wed Apr 17 2002 - 05:27:56 PDT

Next message: Randy Hinders: "RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"

Previous message: Simon Lodal: "IBM Informix Web DataBlade: Local root by design"
Next in thread: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Right, you can only access files ending in the four "allowed" extensions.
These extensions are: .asp, .inc, .htm, and .html.

-HD

On Wednesday 17 April 2002 07:25 am, Randy Hinders wrote:
> While checking various files and extensions I wanted to ensure that other
> files were still "protected" from this.  I was not able to read the
> global.asa but was able to read (as expected) other asp pages..
>
> http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%
>c0%ae%c0%ae/global.asa Returned "View Active Server Page Source-- Access
> Denied" to the browser.
>
> http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%
>c0%ae%c0%ae/iisstart.asp Returned the source code to the browser.

Next message: Randy Hinders: "RE: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Previous message: Simon Lodal: "IBM Informix Web DataBlade: Local root by design"
Next in thread: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Reply: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 16:04:32 PDT