From ben.moeckel@badwebmasters.net Mon Aug 4 06:03:46 2003 From: ben.moeckel@badwebmasters.net To: full-disclosure@lists.netsys.com Date: Sun, 3 Aug 2003 14:00:02 +0200 Subject: [Full-Disclosure] [bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] badWebMasters security advisory #013 IIS (patched) may execute any file in a ".asp"-directory (bad behavior) Discovery date: 2003-05-17 Author: ben moeckel (http://distressed.de) mailto: badwebmasters@online.de Description: When a directory is named like an asp-file the asp engine will parse any file in it, no matter what extension the file has. This may be dangerous when users where able to create directories and upload images in it, a malicious user could upload an asp- script with the extension of an image and run it on the server. Exploit: Create the directory "test.asp" in your webroot and place the following file in it: -- exploit.gif ------------------------------------ Hello world, I'm an image! --------------------------------------------------- Open http://localhost/test.asp/exploit.gif in your browser and you should read the message. Live sample: http://badwebmasters.net/advisory/013/test.asp/exploit.gif Vendor: Microsoft has been contacted 06-16-03 via the webform about this bug. References: aspforum.de "Verschickter IIS..." (german) - http://aspforum.de/topic.asp?TOPIC_ID=13863 Path Parsing Errata in Apache - http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html Feedback: Comments, suggestions, updates, anything else? -> mailto:badwebmasters@online.de Source: http://badwebmasters.net/advisory/013/ (text/html) _________________________________________ badWebMasters - ben moeckel security research http://badwebmasters.de http://badwebmasters.net copyright 2k1-3 by Benjamin Klimmek / Germany mailto:badwebmasters@online.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html