Re: IIS 4.0 leaking files?

From: Stanley G. Bubrouski (stanat_private)
Date: Thu Aug 02 2001 - 19:04:15 PDT

  • Next message: Colby Marks: "RE: IIS 4.0 leaking files?"

    On 2 Aug 2001, hypoclear wrote:
    
    > I posted this to bugtraq, but I'm not sure if it 
    > will be posted, so I will post here too...
    
    It won't be.  If this was posted to Bugtraq I would expect the next event
    to occur would be hell freezing over and the end of the world.
    
    > 
    > ---
    > I recently viewed a web page on a server running 
    > IIS 4.0 and accidently appended a \
    > after the url. This to my suprise caused the page 
    > to download. This occured under
    > Netscape 4.6 (IE5 appears to ignore the \). I was 
    > wondering if anyone else could
    > confirm this behavior. It is not my server so I 
    
    I can.  It is called normal dumb browser behaviour, not big webserver
    security hole.  You want a hole, dig one, you are going nowhere with this.
    
    > cannot do extensive testing on it, so I'm
    > bringing it to the community. The file that 
    > downloaded was a .html file, however I am
    > curious if appending a \ has the possibility of 
    > downloading .asp's or .cgi's. If that was
    
    Why not try it? You'd see that it doesn't work.  The only time appending
    characters to the end of an ASP would download it would be if the person
    was running IIS 4.0 and the ASP resided on a mapped drive and the admin
    didn't install a patch from way back in 98.  I doubt that is the case
    here.  The reason the file was downloaded is because netscape is
    stupid.  End of story.  IE didn't download the file not because it ignored
    the slash...when you add a slash it assumes you want the directory
    /index.html/ which could be a valid directory...the webserver however did
    remove the slash.
    
    > true it would be a definite security hole. Email 
    > me hypoclearat_private or the list with
    > any findings.
    > 
    
    Good call.
    
    > hypoclear
    > 
    
    I love that name, I'm making a nameplate and putting it on my door.
    
    -Stan
    
    --
    Stan Bubrouski                                       stanat_private
    23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284
    



    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 20:51:28 PDT