Research by www.hackemate.com This weakness was found on some IIS 4.0 servers with the next characteristics or similar: HTTP/1.1 302 Object moved Server: Microsoft-IIS/4.0 Date: Mon, 12 Nov 2001 19:24:52 GMT Location: http://www.tectimes.com/ppal.asp Connection: Keep-Alive Content-Length: 153 Content-Type: text/html Set-Cookie: ASPSESSIONIDGQGQQQCI=CINJJCOADDBCMOCEILCBCCDB; path=/ Cache-control: private When you ask for a certain URL, it shows the real path of the Web Site files in the server. It can be exploited this way: http://www.website.com/default.asp?sector=anything For example: http://www.tectimes.com/SistemaMas/default.asp?sector=lamers It will respond with the nexy data: error '80020009' Exception occurred. D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74 As you can see, it reveals the real path of the site directory. The HTML code of the response: <SCRIPT LANGUAGE="JavaScript"> function PopUp(destino) { var ventana = window.open(destino, "_blank", "left=0,top=0,width=790,height=520,toolbar=no,location=no,status=yes,menubar=no,resizable=yes,scrollbars=yes"); } function sugerencias(d) { var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=320,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=no') } function comentarios(d) { var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=340,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=yes') } </SCRIPT> <font face="Arial" size=2>error '80020009'</font> <p> <font face="Arial" size=2>Exception occurred. </font> <p> <font face="Arial" size=2>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm</font><font face="Arial" size=2>, line 74</font> --------------- I will keep on investigating this and send you some more information as soon as I get it. Greetz from Argentina KerozenE 1999-2001 c0oL! ICQ: XXXXXXXX ********************************* Webmaster of www.hackemate.com.ar krznat_private ********************************* Moderator of HACKEMATE Security bulletin http://www.eListas.net/lista/hackemate/alta hackemate-altaat_private ********************************* Editor of the EZine HC&KTM http://www.hackemate.com.ar hackemate-altaat_private *********************************
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 14:46:53 PST