Bugtraq mailing list archives
Re: IIS still revealing paths for web directories
From: joro () NAT BG (Georgi Guninski)
Date: Thu, 13 Jan 2000 12:10:29 +0200
Vanja Hrustic wrote:
This has been mentioned before, but it's probably good to remind Microsoft about some outstanding issues. Request : http://www.microsoft.com/anything.ida Response: The IDQ file d:\http\anything.ida could not be found. Request : http://www.microsoft.com/anything.idq Response: The IDQ file d:\http\anything.idq could not be found. Microsoft is running IIS5 The same problem still exists on IIS4 (tested with SP5 - didn't try on SP6). It's not really a big deal, but they should fix it.
This leads to a client side problem also. The problem is IIS does not escape the response, so one may put some HTML and javascript in the page returned from www.microsoft.com. Vulnerabilities: 1) For IE (tested on 5.01, probably other versions) - if the user has put www.microsoft.com in the Trusted sites security zone, then hostile javascript and ActiveX may be executed in the Trusted sites security zone. 2) It is possible to spoof www.microsoft.com by just clicking on a link. There are probably other vulnerabilities. Demonstration - click on the links, may also be invoked by javascript: For IE: http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location:"+window.location))%3E.ida (I am surprised <IMG SRC="javascript:code"> does not work in IE, one need to reload the page in order to make it executed) For Communicator: http://www.microsoft.com/%3CIMG%20SRC=javascript:alert("window.location:"+window.location)%3E.ida Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Microsoft Security Bulletin (MS00-005), (continued)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)
- Re: Microsoft Security Bulletin (MS00-005) bugtraq () NS DOOMSDAY COM (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Matt Davis (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Tabor J. Wells (Jan 19)
- Unixware ppptalk what's your style? (Jan 19)
- Re: Unixware ppptalk Andrew Malcolm (Jan 21)
- Re: IIS still revealing paths for web directories Henrik Nordstrom (Jan 15)
- Re: IIS still revealing paths for web directories Antonio Ropero (Jan 15)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 18)
- SRS Addendum Matt Conover (Jan 12)
- Re: IIS still revealing paths for web directories Georgi Guninski (Jan 13)
- Re: IIS still revealing paths for web directories Scott Buchanan (Jan 13)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)