Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft IIS 5.0 CodeBrws.asp Source Disclosure

Microsoft IIS 5.0 CodeBrws.asp Source Disclosure

by Nikola Strahija on April 21st, 2002 Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html. The IISSamples virtual directory should not be left on production servers in the first place, but until now there were no serious[1] vulnerabilities found in those sample scripts. Microsoft was _not_ contacted about this, they can read the lists like everyone else. This is an issue that can be fixed by proper system administration.


Solution:

Remove the /IISSamples virtual directory using the Internet
Services Manager. If for some reason this is not possible,
removing the following ASP script will fix the problem:

This path assumes that you installed IIS in c:inetpub

c:inetpubiissamplessdkaspdocsCodeBrws.asp

Details:

The IIS developers actually put some thought into securing
this sample script. Unfortunately for them and their user
base, they didn't take into account the Unicode character
set when checking the path passed to the script.

The function fValidPath in CodeBrws.asp has the following
comment placed above it:

REM **************************************
REM intended behavior:
REM allow access to only .asp, .htm, .html, .inc files
REM in some directory starting from /IISSAMPLES
REM and without .. in the path
REM **************************************

The fValidPath function first checks to see if the base
directory starts with "/IISSAMPLES", then verifies that the
last characters of the request are one of the allowed
extensions, and finally checks to see if the ".." sequence is
anywhere in the string.

The problem is that ".." can be represented a number of other
ways using the Unicode character set. For instance, the
sequence %c0%ae%c0%ae will be decoded as two periods by IIS,
but will not be caught by the InStr(1,strPath,"..",1) code in
the ASP script. So to create a request which passes the input
filters but retrieves the source of default.asp...

/iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp


[1] While all versions of IIS previous to 5.0 had significant problems
with the bundled sample scripts, 5.0 has only had a couple information
gathering issues to date. Due to the lowered risk, many administrators
have left the iissamples virtual directory mapped on their
production servers.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »