Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS still revealing paths for web directories

From: joro () NAT BG (Georgi Guninski)
Date: Thu, 13 Jan 2000 12:10:29 +0200

Vanja Hrustic wrote:


This has been mentioned before, but it's probably good to remind
Microsoft about some outstanding issues.

Request : http://www.microsoft.com/anything.ida
Response: The IDQ file d:\http\anything.ida could not be found.

Request : http://www.microsoft.com/anything.idq
Response: The IDQ file d:\http\anything.idq could not be found.

Microsoft is running IIS5

The same problem still exists on IIS4 (tested with SP5 - didn't try on
SP6).

It's not really a big deal, but they should fix it.



This leads to a client side problem also.
The problem is IIS does not escape the response, so one may put some
HTML and javascript in the page returned from www.microsoft.com.
Vulnerabilities:
1) For IE (tested on 5.01, probably other versions) - if the user has
put www.microsoft.com in the Trusted sites security zone, then hostile
javascript and ActiveX may be executed in the Trusted sites security
zone.
2) It is possible to spoof www.microsoft.com by just clicking on a link.
There are probably other vulnerabilities.

Demonstration - click on the links, may also be invoked by javascript:

For IE:
http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location:"+window.location))%3E.ida
(I am surprised <IMG SRC="javascript:code"> does not work in IE, one
need to reload the page in order to make it executed)

For Communicator:
http://www.microsoft.com/%3CIMG%20SRC=javascript:alert("window.location:"+window.location)%3E.ida

Regards,
Georgi Guninski
http://www.nat.bg/~joro
Previous By Date Next
Previous By Thread Next

Current thread: