While checking various files and extensions I wanted to ensure that other files were still "protected" from this. I was not able to read the global.asa but was able to read (as expected) other asp pages.. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/global.asa Returned "View Active Server Page Source-- Access Denied" to the browser. http://localhost//iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/iisstart.asp Returned the source code to the browser. Yes, the IISSAMPLES and all other SDK items should never be installed on a production machine, but should a client upload this code to a shared hosting environment where the global.asa is properly protected with NTFS permissions they will not be able to gain access to the source code through this method. HTH Randy Hinders MCT (ret.), MCSE, MCP +I & A+ NT Systems Administrator DONet, Inc www.donet.com www.adsi4nt.com ~~Hoka Hey, Lakotas~~ -----Original Message----- From: H D Moore [mailto:sflistat_private] Sent: Tuesday, April 16, 2002 11:01 PM To: bugtraqat_private Cc: vulnwatchat_private Subject: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure --[ Microsoft IIS 5.0 CodeBrws.asp Source Disclosure Summary: Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. The IISSamples virtual directory should not be left on production servers in the first place, but until now there were no serious[1] vulnerabilities found in those sample scripts. Microsoft was _not_ contacted about this, they can read the lists like everyone else. This is an issue that can be fixed by proper system administration. <snip> _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 16:15:30 PDT