Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IIS 5.0 allows viewing files using %3F+.htr
From: "Leonid Medvedev (home)" <user07 () ASK-DESIGN COM>
Date: Mon, 8 Jan 2001 23:46:59 +0300

Georgi Guninski security advisory #33, 2001
If you are not patched the following may work (not discovered by me):
This does not work for some types of .ASP if they contain certain characters.

This works also at my IIS4 - global.asa exposed fully,
.asp files exposed until the first entry of "<%" (begin of script block)
One of possible workarounds - use MS Script Encoder.


This doesn't work on my IIS4 - it closes connection without any response.

Leonid Medvedev [mailto:user07 () ask-design com], MCP
Unofficial Russian IELTS Page [http://www2.ask-design.com/ielts]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]