Vulnerable, I have NT 4, sp6, IIS updated at the most and php 4.0.6 installed as cgi, using NTFS. -- jacg -----Mensaje original----- De: NDR113 [mailto:ndr113at_private] Enviado el: Viernes 26 de Octubre de 2001 4:01 PM Para: vuln-devat_private Asunto: data stream bug still alive? Data Stream Bug may still work (on a unsual configuration) [===================================] + Past Problem The Windows NT file system, NTFS, support multiple data streams within a file, been DATA the main content stream. Was reported on July 8, 1998 by Paul Ashton on this mailing list the posibility of get remotely by IIS the source code of files like an ASP script. This was done by requesting the file and ::$DATA. Microsoft relase a fix, and the problem was solve on the subsequent Service Packs for Windows NT. + Present Problem Yet, this problem -it seems to us- that on some unusual configuration as a Windows NT box, with IIS and PHP scripting, persist. In our tests on two separete Windows NT boxes, with IIS 4, PHP4, the fix available for the bug and the latest SP6a, is still possible to obtain the source of PHP files. eg. http://www.server.com/file.php::$DATA + Implications Besides the obvious vulnerability, this show that the fix given by Microsoft far from solving the real problem, it just did the the "workarounds" on the registry on how to manage specific extensions (.asp, .pl, and so on) excluding .php. + Final Anyone how can confirm or refute this please post it. + More Informtion ":$DATA Stream Name of a File May Return Source" http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP "HOW TO: Use NTFS Alternate Data Streams" http://support.microsoft.com/support/kb/articles/Q105/7/63.ASP Roberto Alamos M. (theyeat_private) Carlos Gaona U. (ndr113at_private) www.350cc.com
This archive was generated by hypermail 2b30 : Sat Oct 27 2001 - 21:20:46 PDT