[Full-Disclosure] [bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior)

ben.moeckel_at_badwebmasters.net
Date: 08/03/03

  • Next message: manohar singh: "Re: Re: [Full-Disclosure] Reacting to a server compromise" 
    To: <full-disclosure@lists.netsys.com>
Date: Sun,  3 Aug 2003 14:00:02 +0200

    badWebMasters security advisory #013

    IIS (patched) may execute any file in a ".asp"-directory (bad behavior)

    Discovery date: 2003-05-17
      
    Author:
    ben moeckel (http://distressed.de)
    mailto: badwebmasters@online.de
     
      
    Description:
    When a directory is named like an asp-file the asp engine will parse any
    file in it, no matter what extension the file has.

    This may be dangerous when users where able to create directories and
    upload images in it, a malicious user could upload an asp- script with
    the extension of an image and run it on the server.
     
      
    Exploit:
    Create the directory "test.asp" in your webroot and place the following
    file in it:

    -- exploit.gif ------------------------------------

            Hello world, I'm an image!

    ---------------------------------------------------
    Open http://localhost/test.asp/exploit.gif in your browser and you
    should read the message.
     
      
    Live sample:
    http://badwebmasters.net/advisory/013/test.asp/exploit.gif
     
      
    Vendor:
    Microsoft has been contacted 06-16-03 via the webform about this bug.
     
      
    References:
    aspforum.de "Verschickter IIS..." (german)
    - http://aspforum.de/topic.asp?TOPIC_ID=13863

    Path Parsing Errata in Apache
    - http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html
     
      
    Feedback:
    Comments, suggestions, updates, anything else?
       -> mailto:badwebmasters@online.de
     
      
    Source:
    http://badwebmasters.net/advisory/013/ (text/html)
     
      
    _________________________________________

    badWebMasters - ben moeckel security research
    http://badwebmasters.de http://badwebmasters.net
    copyright 2k1-3 by Benjamin Klimmek / Germany
    mailto:badwebmasters@online.de
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: manohar singh: "Re: Re: [Full-Disclosure] Reacting to a server compromise"
    • Quantcast