what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NSFOCUS Security Advisory 2000.2

NSFOCUS Security Advisory 2000.2
Posted Jul 26, 2000
Authored by Isbase Security Team, NSFOCUS | Site isbase.com

ISBASE Security Advisory(SA2000-02) - Microsoft IIS v4.0 and 5.0 for Windows NT and Windows 2000 sometimes displays the contents of files that should not normally be displayed and sometimes contains sensitive data. ISS can be tricked into calling ISM.DLL and exposing the contents of .asp, .asa, and .ini files. Exploit description included.

tags | exploit, asp
systems | windows
SHA-256 | c08944303a5c4fb8db44beece6ca8c9e5f3f74e31842f8ec050ebb34e977435c

NSFOCUS Security Advisory 2000.2

Change Mirror Download
ISBASE Security Advisory(SA2000-02)


Topic: IIS ISM.DLL truncation exposes file content

Release Date: July 17, 2000


Affected software version:
===========================

Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0

Platform:
==========

Windows NT 4.0 and Windows 2000


Impact:
=========

Isbase security team has found a security flaw in Microsoft IIS 4.0/5.0 .
Attacker can obtain the contents of certain types of files (.asp,.asa,.ini...)
in Microsoft Internet Information Server 4.0 or 5.0. Normally attacker should
not be able to access the contents of those files. Attacker could get some
sensitive data contained in those files.

Description:
==============

By requesting an existing filename (for example, global.asa) with an appendage
of "+" and extention of ".htr" from Microsoft Internet Information Server
4.0/5.0 , IIS will be tricked to call ISM.DLL ISAPI application to deal with
this request. When "+" is found in the filename, ISM.DLL will truncate the
"+.htr" and open the target file(global.asa). If the target file is not ".htr"
file , part of target file source code will be exposed to the attacker. For
example, attacker can retrieve the content of global.asa which often contains
some sensitive information such as SQL server's username and password.



Exploit:
==========
Put this URL in your browser and view the source code of returned page:

http://www.victim.com/global.asa+.htr

Workaround:
===========
If you don't need HTR functionality , remove the script mapping for HTR.

Solution:
===========
Microsoft has been informed and released one security bulletin concerning this
flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS00-044.asp

Patches are available at:

IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708



Isbase Security Team <security@isbase.com>

ISBASE INFORMATION TECHNOLOGY CO.,LTD
(http://www.isbase.com)

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close