Bugtraq mailing list archives
Re: IIS 5.0 allows viewing files using %3F+.htr
From: "Leonid Medvedev (home)" <user07 () ASK-DESIGN COM>
Date: Mon, 8 Jan 2001 23:46:59 +0300
Georgi Guninski security advisory #33, 2001
[...]
If you are not patched the following may work (not discovered by me): http://TARGETIIS/scripts/test.pl+.htr This does not work for some types of .ASP if they contain certain characters.
This works also at my IIS4 - global.asa exposed fully, .asp files exposed until the first entry of "<%" (begin of script block) One of possible workarounds - use MS Script Encoder.
---------------------------------------- http://TARGETIIS/scripts/test.pl%3F+.htr ----------------------------------------
This doesn't work on my IIS4 - it closes connection without any response. ---------------------------------------- Regards Leonid Medvedev [mailto:user07 () ask-design com], MCP Unofficial Russian IELTS Page [http://www2.ask-design.com/ielts]
Current thread:
- IIS 5.0 allows viewing files using %3F+.htr Georgi Guninski (Jan 08)
- Re: IIS 5.0 allows viewing files using %3F+.htr Leonid Medvedev (home) (Jan 08)