DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IIS

SYSTEMS AFFECTED

  Win NT 4.0 (server)
  

PROBLEM


    The following  text is  part of  L0pht Security  Advisory and it's
    author is weld@l0pht.com.  It is  based on ASP attack and MS patch 
    opened a new hole.  L0pht SA are placed on 

    http://www.l0pht.com/advisories.html

    Microsofts IIS  3.0 supports  server side  scripting using "Active
    Server Pages" or .asp files. These files are meant to execute  and
    not be visible  to the user.  These scripts may  contain sensitive
    information  such  as  SQL  Server  passwords.  These files can be
    downloaded and viewed  instead of executed  by replacing '.'  in a
    URL with a '%2e'.  Severity: Users can read the server side script
    in .asp, .ht., .id, .PL files

    This problems  discovered in  IIS 3.0  allowed users  to read  the
    contents of .asp files by appending  a '.' or a series of  '.'s to
    the end of a URL:

        http://www.mycompany.com/default.asp

    becomes

        http://www.mycompany.com/default.asp.

    Microsoft acknowledged the problem and released a hot-fix patch
    to IIS 3.0.  This is available from:

        http://www.microsoft.com/iis/iisnews/hotnews/security.htm

    This hot-fix solved the trailing  '.' problem but opened up  a new
    hole  which  allows  the  same  results  -  viewing  the .asp file
    instead of executing it.

    This is accomplished by replacing the '.' in the filename part  of
    a URL with a '%2e', the hex value for '.':

        http://www.mycompany.com/default.asp

    becomes

        http://www.mycompany.com/default%2easp

    Your browser will prompt  you to save the  file to disk where  you
    can then view the contents of the .asp file.

    Web sites that  have not installed  the Microsoft IIS  3.0 hot-fix
    are not affected by this problem although the trailing '.'  method
    still works to display the contents of the .asp file.

    Interesting thing happend when  MS announced that they  fixed this
    bug.  After that Dick van den Burg tried to reproduced same  thing
    on MS web site but this time failed.  Anyway, imagination said  do
    it this way:

        http://www.microsoft.com/default%2e%41sp.

    and did allow him to retrieve the .asp file.



EXPLOIT

  

SOLUTION


    Microsoft has been notified of this problem.  Hot-fix is expected.