Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: More info on MS99-061 (IIS escape character vulnerability)

Re: More info on MS99-061 (IIS escape character vulnerability)

From: Joakim Karlmark <joakim.karlmark_at_PDKONSULT.COM>
Date: Sun, 2 Jan 2000 12:51:50 +0100

> What does this allow you to bypass? My guess is anything that plays or
> needs the raw filename or request. ISAPI filters and extension handlers
> come to mind. Who, what, where, and how are application specific.

One category of systems that are vulnerable to this are
3rd party authentications modules that do, for example radius
authentication.

One system that I've checked uses a special directory,
lets call it /authRoot where the administrators can store
customized login pages, graphics and so on.
So, by neccessity, it allows unauthenticated access to this
directory.

Unfortunately the ISS bugg allows one to "break out" of this
direcotry by appending %1u%1u (".." in other words).
So, to access default.asp we could would enter the url...

http://server/authRoot/%1u%1u/default.asp

And, ooops, unauthenticate access...
Received on Jan 02 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos