Bugtraq mailing list archives

Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP

From: mitja.kolsek () IJS SI (Mitja Kolsek)
Date: Tue, 25 Feb 1997 09:24:22 +0100


I suppose there's a simpler solution for those who want to protect their
asp, .idc & .htx files that are so well mixed among regular .htm files.
In your registry, under IIS ScriptMapping
(HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/Parameters/Scrip
tMapping)
(could be this is not _quite_ exact, but you'll find it)
Create a string value named ".ASP." (note the ending dot) and copy its data
from ".ASP" value already present in this registry key if you're running
IIS 3.0. This successfully renders the 'dot attack' ineffective. Apply this
procedure to all script extensions.

Nevertheless I suggest moving all script files to a separate folder, so use
this technique only as a temporary measure. There will soon be another
security hole in the wild so it's better to be prepared.

Mitja Kolsek

----------
From: Mark Joseph Edwards <mark () ntshop net>
To: 'bugtraq () netspace org'
Cc: 'ntbugtraq () rc on ca'; 'ntsecurity () iss net'
Subject: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
Date: Thursday, February 20, 1997 6:39 PM


                MICROSOFT IIS AND ACTIVE SERVER ADVISORY
                 Security Hole in ASP Discovered in Microsoft ASP
                                February 20, 1997

DESCRIPTION
A serious security hole was found in Microsoft's Active Server Pages (ASP)
by Juan T. Llibre <j.llibre () codetel net do>. This hole allows Web clients
to download unprocessed ASP files potentially exposing user ids and
passwords. ASP files are the common file type used by Microsoft's IIS and
Active Server to perform server-side processing.

HOW IT WORKS
To download an unprocessed ASP file, simply append a period to the asp URL.
For example: http://www.domain1.com/default.asp becomes
http://www.domain1.com/default.asp. With the period appendage, Internet
Information Server (IIS) will send the unprocessed ASP file to the Web
client, wherein the source to the file can be examined at will. If the
source includes any security parameter designed to allow access to other
system processes, such as an SQL  database, they will be revealed.

Current thread:

Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Paul Leach (Feb 20)
- <Possible follow-ups>
- Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Mitja Kolsek (Feb 25)