DATE: COMMAND SOURCE: AUTHOR: IIS SYSTEMS AFFECTED Win NT 4.0 (server) PROBLEM The following text is part of L0pht Security Advisory and it's author is firstname.lastname@example.org. It is based on ASP attack and MS patch opened a new hole. L0pht SA are placed on http://www.l0pht.com/advisories.html Microsofts IIS 3.0 supports server side scripting using "Active Server Pages" or .asp files. These files are meant to execute and not be visible to the user. These scripts may contain sensitive information such as SQL Server passwords. These files can be downloaded and viewed instead of executed by replacing '.' in a URL with a '%2e'. Severity: Users can read the server side script in .asp, .ht., .id, .PL files This problems discovered in IIS 3.0 allowed users to read the contents of .asp files by appending a '.' or a series of '.'s to the end of a URL: http://www.mycompany.com/default.asp becomes http://www.mycompany.com/default.asp. Microsoft acknowledged the problem and released a hot-fix patch to IIS 3.0. This is available from: http://www.microsoft.com/iis/iisnews/hotnews/security.htm This hot-fix solved the trailing '.' problem but opened up a new hole which allows the same results - viewing the .asp file instead of executing it. This is accomplished by replacing the '.' in the filename part of a URL with a '%2e', the hex value for '.': http://www.mycompany.com/default.asp becomes http://www.mycompany.com/default%2easp Your browser will prompt you to save the file to disk where you can then view the contents of the .asp file. Web sites that have not installed the Microsoft IIS 3.0 hot-fix are not affected by this problem although the trailing '.' method still works to display the contents of the .asp file. Interesting thing happend when MS announced that they fixed this bug. After that Dick van den Burg tried to reproduced same thing on MS web site but this time failed. Anyway, imagination said do it this way: http://www.microsoft.com/default%2e%41sp. and did allow him to retrieve the .asp file. EXPLOIT SOLUTION Microsoft has been notified of this problem. Hot-fix is expected.