It was fixed in SP3 (Bugtraq 2313). ----- Original Message ----- From: <jesperhtat_private> To: <vuln-devat_private> Sent: Saturday, January 05, 2002 9:14 AM Subject: The good , the bad, the IIS. (%3F Weirdness) > > > *I have no clue if this is a new bug or not due to my > lack of hotfixes, but here it goes!* > > Hello fellow vuln-dev'ers, > Here is a srange bug ive found on my test server: > > Microsoft Windows 2000 [Version 5.00.2195] > (service pack 2) > > Making the following request: > > http://bender/global.asa%3f.htr > > Adding a %3f.htr at the end seems to yield its source > code. Because this is a default install, all that it > contains is the following: > > <OBJECT RUNAT=Server SCOPE=Session > ID=MyInfo PROGID="MSWC.MyInfo"> > </OBJECT> > > Ive tried appending %3f.htr to iisstart.asp (another > default file), but that does not reveal a thing. > Renaming iisstart.asp to iisstart.asa and trying to > view its source does not work then either. I cant find > any logic behind this. Please give this a shot, play > with this, and send in your results/thoughts! > > Best Regards, > -Scarabus >
This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 09:33:57 PST