Re: Weakness in default.asp [Hackemate.com Research]

From: Thor@HammerofGod.com
Date: 11/13/01


From: Thor@HammerofGod.com
To: krzn@softhome.net, bugtraq@securityfocus.com
Message-Id: <5.1.0.14.0.20011112150654.00b01240@192.168.3.190>
Date: Mon, 12 Nov 2001 15:08:51 -0800
Subject: Re: Weakness in default.asp [Hackemate.com Research]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a quick reply... One should always turn off detail ODBC error logging
on production systems. When you do so, you would get a standard "Internal
Server Error" by default rather than the detailed errors. This is true for
IIS 4.0 and 5.0.

hth

At 04:45 PM 11/12/2001 -0300, KeRoZeNe [Hackemate] wrote:

>When you ask for a certain URL, it shows the real path of
>the Web Site files in the server.
>It can be exploited this way:
>http://www.website.com/default.asp?sector=anything
>
>For example:
>http://www.tectimes.com/SistemaMas/default.asp?sector=lamers
>
>It will respond with the nexy data:
>
>
>error '80020009'
>Exception occurred.
>
>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO/BWg4hsmyD15h5gEQI/swCgkwmsL96IF9dL/KK+NAE5CQEt1NAAniDQ
eORoCbZMaO+K91837kHdFmHB
=AOfB
-----END PGP SIGNATURE-----