Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: ASP vulnerability with Alternate Data Streams

ASP vulnerability with Alternate Data Streams

From: Aleph One <aleph1_at_DFW.NET>
Date: Wed, 1 Jul 1998 21:37:29 -0500

---------- Forwarded message ----------
Date: Tue, 30 Jun 1998 15:27:32 +0200
From: Paul Ashton <paul_at_ARGO.DEMON.CO.UK>
To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM
Subject: ASP vulnerability with Alternate Data Streams

Following on from the last .asp vulnerability which applied to
URLs ending in spaces, and the previous that allowed .asps to
be read if they end in ".", it turns out that there is yet
another due to Alternate data streams.

The unnamed data stream is normally accessed using the filename
itself, with further named streams accessed as filename:stream.
However, the unnamed data stream can also be accessed using
filename::$DATA.

If you open http://somewhere/something.asp::$DATA it turns out
that you will be presented with the source of the ASP instead
of the output. Deja vu?!

It is left as an exercise for the reader to thing of further
implications in other programs running on NT. Obviously,
anything that to tries to restrict access based on filename
instead of ACLs is going to have a hard time after this and
the other recent revelations.

Paul
Received on Jul 01 1998

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos