Allaire JRun ACL bypassing/soure disclosure vulnerability

[Gregory Duchemin <c3rb3r () hotmail com>]

In-Reply-To: <009a01c1792a$d8a23160$0205a8c0@athlon>

hi,

just an add on for the Jrun indexing vulnerability, the 
same %3f.jsp trick allows to view server scripts 
sources by using :
GET /scripts.asp%3f.jsp HTTP/1.0

and can be used to bypass IIS directories ACLs too 
while indexing the content and/or viewing files.
GET /ACL-protected/%3f.jsp

tested on IIs 4.0

Have a nice day
Gregory