ANOTHER pathetic IIS 3.0 vulnerability
|Description:||Microsoft CANNOT seem to handle dots at all in their programs, after fixing the name.asp. bug, the great guys at the l0pht found that their "fix" introduced another '.' bug. This time using the hex representation. |
|Author:||Weld Pond <firstname.lastname@example.org&rt |
|Compromise:||Remotely obtain .asp, .ht, .id, .PL files etc. |
|Vulnerable Systems:||Those running vulnerable M$ IIS 3.0 web server |
|Date:||21 March 1997 |
Date: Fri, 21 Mar 1997 16:19:44 -0500
From: Who cares what the hell goes into a Gecos field anyway!
Reply-To: Windows NT BugTraq Mailing List ,
Who cares what the hell goes into a Gecos field anyway!
Subject: BoS: updated advisory (fwd)
Resent-Date: Sat, 22 Mar 1997 15:31:05 +1100 (EST)
L0pht Security Advisory
Advisory released Mar 19 1997
Application: Microsoft IIS 3.0
Vulnerability Scope: IIS 3.0 w/latest hot-fixes
dated Feb 27 14:22:00
Severity: Users can read the server side script
in .asp, .ht., .id, .PL files
Microsofts IIS 3.0 supports server side scripting using "Active Server
Pages" or .asp files. These files are meant to execute and not be
visible to the user. These scripts may contain sensitive information
such as SQL Server passwords.
Microsoft posted a patch on 2/27/97 to fix a problem that allowed web
users to display these files instead of executing them. Their patch
opened up a new hole that allows users to still display these files.
In effect the patch doesn't work. If you installed the patch you
are still vulnerable.
A problems was discovered in IIS 3.0 that allowed users to read the
contents of .asp files by appending a '.' or a series of '.'s to the
end of a URL:
Microsoft acknowledged the problem and released a hot-fix patch to IIS 3.0.
This is available from
This hot-fix solved the trailing '.' problem but opened up a new hole which
allows the same results - viewing the .asp file instead of executing it.
This is accomplished by replacing the '.' in the filename part of a URL
with a '%2e', the hex value for '.':
Your browser will prompt you to save the file to disk where you can then
view the contents of the .asp file.
Web sites that have not installed the Microsoft IIS 3.0 hot-fix are not
affected by this problem although the trailing '.' method still works to
display the contents of the .asp file.
Microsoft has been notified of this problem.
Check out http://www.l0pht.com/advisories.html for other l0pht advisories
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
[ Nmap |
Sec Tools |
Mailing Lists |
Site News |