Weakness in default.asp [Hackemate.com Research]

From: KeRoZeNe [Hackemate] (krznat_private)
Date: Mon Nov 12 2001 - 11:45:52 PST

Next message: Oliver Petruzel: "RE: strange thing happend to me"

Previous message: VeNoMouS: "Re: Bug in bash ?"
Next in thread: Thorat_private: "Re: Weakness in default.asp [Hackemate.com Research]"
Reply: Thorat_private: "Re: Weakness in default.asp [Hackemate.com Research]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Research by www.hackemate.com

This weakness was found on some IIS 4.0 servers
with the next characteristics or similar:

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0
Date: Mon, 12 Nov 2001 19:24:52 GMT
Location: http://www.tectimes.com/ppal.asp
Connection: Keep-Alive
Content-Length: 153
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGQGQQQCI=CINJJCOADDBCMOCEILCBCCDB; path=/
Cache-control: private

When you ask for a certain URL, it shows the real path of
the Web Site files in the server.
It can be exploited this way:
http://www.website.com/default.asp?sector=anything

For example:
http://www.tectimes.com/SistemaMas/default.asp?sector=lamers

It will respond with the nexy data:


error '80020009'
Exception occurred.

D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74


As you can see, it reveals the real path of
the site directory.

The HTML code of the response:

<SCRIPT LANGUAGE="JavaScript">
function PopUp(destino)
{
        var ventana = window.open(destino, "_blank", "left=0,top=0,width=790,height=520,toolbar=no,location=no,status=yes,menubar=no,resizable=yes,scrollbars=yes");
}
function sugerencias(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=320,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=no')
}

function comentarios(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=340,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=yes')
}
</SCRIPT>
 <font face="Arial" size=2>error '80020009'</font>
<p>
<font face="Arial" size=2>Exception occurred.
</font>
<p>
<font face="Arial" size=2>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm</font><font face="Arial" size=2>, line 74</font>

---------------
     I will keep on investigating this and send you some more
information as soon as I get it.
            Greetz from Argentina

KerozenE 1999-2001 c0oL!
ICQ: XXXXXXXX
*********************************
Webmaster of www.hackemate.com.ar
krznat_private
*********************************
Moderator of HACKEMATE Security bulletin
http://www.eListas.net/lista/hackemate/alta
hackemate-altaat_private
*********************************
Editor of the EZine HC&KTM
http://www.hackemate.com.ar
hackemate-altaat_private
*********************************

Next message: Oliver Petruzel: "RE: strange thing happend to me"
Previous message: VeNoMouS: "Re: Bug in bash ?"
Next in thread: Thorat_private: "Re: Weakness in default.asp [Hackemate.com Research]"
Reply: Thorat_private: "Re: Weakness in default.asp [Hackemate.com Research]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 14:46:53 PST