IIS 4.0 leaking files?

From: hypoclear (hypoclearat_private)
Date: Thu Aug 02 2001 - 11:46:00 PDT

  • Next message: Markus Kern: "Re: KaZaA + Morpheus sharing files"

    I posted this to bugtraq, but I'm not sure if it 
    will be posted, so I will post here too...
    
    ---
    I recently viewed a web page on a server running 
    IIS 4.0 and accidently appended a \
    after the url. This to my suprise caused the page 
    to download. This occured under
    Netscape 4.6 (IE5 appears to ignore the \). I was 
    wondering if anyone else could
    confirm this behavior. It is not my server so I 
    cannot do extensive testing on it, so I'm
    bringing it to the community. The file that 
    downloaded was a .html file, however I am
    curious if appending a \ has the possibility of 
    downloading .asp's or .cgi's. If that was
    true it would be a definite security hole. Email 
    me hypoclearat_private or the list with
    any findings.
    
    hypoclear
    



    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:37:15 PDT