IIS 3.0 had a bug which allowed ASP source to be downloaded by appending a . to the filename. That was eventually fixed by MS but they didn't fix the same hole in their Personal Web Server.
Lynn Kyle <lynn@RAINC.COM>
Read ASP file source, could contain passwords, etc.
Those running vulnerable version of MS Personal Web Server
22 March 1998
Date: Sun, 22 Mar 1998 10:15:01 -0700
From: Lynn Kyle <lynn@RAINC.COM>
Subject: MS Personal Web Server
Has this been reported?
The MS Personal Web Server (tried on the win95, not NT) suffers
from the old IIS 3.0 unpatched bug of allowing you to download
asp files by using a trailing ".".
telnet victim 80
GET /default.asp. HTTP/1.0
will give you the contents of the asp not the result.
oops for any of you embedding a db login/pass in the asp.
Date: Mon, 23 Mar 1998 02:20:56 -0300
From: "Rubens Kuhl Jr." <rkuhljr@PUERIDOMUS.BR>
Subject: Re: MS Personal Web Server
What version of MS PWS does this apply to ?
NT Option Pack includes IIS 4.0 for NT Server, PWS 4.0 for NT Workstation
and PWS 4.0 for Windows 95, and I would think (although I haven't tested to
be sure) that this doesn't affect PWS 4.0/Win95.
Rubens Kuhl Jr.
> -----Original Message-----
> From: Lynn Kyle [SMTP:lynn@RAINC.COM]
> Sent: Sunday, March 22, 1998 2:15 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: MS Personal Web Server
> Has this been reported?
> The MS Personal Web Server (tried on the win95, not NT) suffers
> from the old IIS 3.0 unpatched bug of allowing you to download
> asp files by using a trailing ".".
> telnet victim 80
> GET /default.asp. HTTP/1.0
> will give you the contents of the asp not the result.
> oops for any of you embedding a db login/pass in the asp.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: