Bugtraq mailing list archives

Perl.exe and IIS security advisory

From: mnemonix () GLOBALNET CO UK (mnemonix)
Date: Fri, 22 Jan 1999 20:58:33 -0000


There is a problem with perl.exe similar to the issue discussed in KB
article Q193689 where the physical disk location of a virtual web directory
can be ascertained.

In all versions of IIS, where a  website has been configured to interpret
perl scripts using the perl executable (perl.exe), a problem exists where a
request for a non-existent file will return the physical location on a disk
of a web directory. A request for:

http://www.server.com/scripts/no-such-file.pl

will return information similar to the following:

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Can't open perl script "C:\InetPub\scripts\no-such-file.pl": No such file or
directory

Previously this was a problem when requesting a non-existent .IDC file but
this was resolved with Service Pack 4.

To resolve this problem in IIS 2 and 3 you can use perlis.dll, the ISAPI
version of the perl interpreter,  instead of the executable. You can  use
this in IIS 4 as well, however, if you still want to use perl.exe you can
configure IIS to check for the file's existence.

NTInfoScan, downloadable from
http://www.infowar.co.uk/mnemonix/ntinfoscan.htm , checks for this problem
and the .IDC issue as well as other security checks.

Cheers,
David Litchfield

Current thread:

CFP: New Security Paradigms Workshop 1999, (continued)
- - CFP: New Security Paradigms Workshop 1999 Crispin Cowan (Jan 21)
  - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - linux crashes irix6.3 Philipp Schott (Jan 22)
    - Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
    - CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
    - Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
    - Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
  - Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
  - Perl.exe and IIS security advisory mnemonix (Jan 22)
    - Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
    - Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
    - Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
    - IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
  - Re: backdoored tcp wrapper source code John Stange (Jan 23)
    - SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
    - Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
    - Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
    - Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)

(Thread continues...)