Microsoft Active Server Pages IIS server hole

Summary
Description:Microsoft really has a problem with clients that send "." don't they? Well here again they let people download asp source by appending a '.' to the url
Author:Mark Joseph Edwards (mark@NTSHOP.NET)
Compromise:Read raw unprocessed asp files which may contain privileged information (remote)
Vulnerable Systems:Systems running M$ IIS web server
Date:20 February 1996
Details

Exploit:
Date: Thu, 20 Feb 1997 11:39:01 -0600
From: Mark Joseph Edwards 
To: BUGTRAQ@NETSPACE.ORG
Subject: ! [ADVISORY] Major Security Hole in MS ASP

                MICROSOFT IIS AND ACTIVE SERVER ADVISORY
                 Security Hole in ASP Discovered in Microsoft ASP
                                February 20, 1997

DESCRIPTION
A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan 
T. Llibre . This hole allows Web clients to download 
unprocessed ASP files potentially exposing user ids and passwords. ASP files are 
the common file type used by Microsoft's IIS and Active Server to perform 
server-side processing.

HOW IT WORKS
To download an unprocessed ASP file, simply append a period to the asp URL. For 
example: http://www.domain1.com/default.asp becomes 
http://www.domain1.com/default.asp. With the period appendage, Internet Information 
Server (IIS) will send the unprocessed ASP file to the Web client, wherein the 
source to the file can be examined at will. If the source includes any security 
parameter designed to allow access to other system processes, such as an SQL  
database, they will be revealed.

DEFENSE
There are two known ways to stop this behavior:

1.Turn read permissions off of the ASP directory in the Internet Service Manager. 
This may not be a practical solution since many sites mix ASP and HTML files. If 
your site mixes these files together in the same directories, you may want to 
segregate them immediately. Now and in the future, treat your ASP files like any 
other Web based executable, and keep them in separate directories wherein 
permissions can be adjusted accordingly.

2.Download this filter written by Christoph Wille Christoph.Wille@unileoben.ac.at 
which can be located at http://www.ntshop.net/security/tools/sechole.zip or from 
http://www.genusa.com/asp/patch/sechole.zip

END OF ADVISORY



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault