Bugtraq mailing list archives
More information on MS00-044
From: rain forest puppy <rfp () WIRETRIP NET>
Date: Fri, 4 Aug 2000 10:39:00 -0500
I just wanted to drop a note to see if anyone else has any more information on the '+.htr' vulnerability. So many people have been trying it against me, I decided to look into it. :)
From what I can tell, it's a pretty effective bug, returning the source of
the page. HOWEVER, it seems that it will stop at the first '<%' it encounters. For those of you that program in ASP, you'll know that <% %> are the server-side script delimiters. So this effectively keeps you from seeing source...or does it...? I've noticed that if you use the <script runat=server></script> delimiters, which function in the same manner as <% %>, you will get the source. Well, up to any other '<%' existing in the same page. Does anyone have any contrary results? - rain forest puppy ps. whisker v1.4 was released on my site. http://www.wiretrip.net/rfp/
Current thread:
- More information on MS00-044 rain forest puppy (Aug 07)