Vulnerability Development: Re: IIS/4.0 ASP include files

[Arturo Busleiman <buanzox () USA NET>]

The original mail didn't have a subject line, so I created it :)

On Tue, 8 Aug 2000, Paul Rogers wrote:

> Hi ppl,
<everybody> hi Paul! :)

> In certain IIS/4.0 configurations with ASP (assumption because the file
> seems to be an ASP include) and SQL Server running (unknown version),
> http://server/include/dbconfig.inc reveals the DSN, username and password to
> the database being utilised by the website. Does anyone know about this and
> under what configuration conditions does this occur? Or is just poor
> configuration on the IIS server revealing the include directory for ASP
> scripts run on the site? I think it maybe the latter but I'm no NT/IIS
> security guru.
Well, look at the extension of that file: ".inc"
It doesn't get interpreted, so it's output by the server as plain text.
The same thing happens with PHP, for example: they say that the if you
include files, they should (1) be outside wwwroot and/or
(2) a) have a file extension that gets parsed (ASP or whatever, depends)
    b) the server should be configured to interpret the .inc extension as
       source code
in either case (2a, 2b), the include file wouldn't be output as plain
text.

I'm sure I'm wrong, as always. (yeah yeah, low self-steem today)

*> Get PGP KEY: use pgpk -a hkp://horowitz.surfnet.nl/buanzox () usa net
*> MP OnLine? EL BBS? FeedBack? -> System Fork!!! 4799-2510 TLD 24hs
*> Lista social de mail. Envia e-mail en blanco a lsb-subscribe () egroups com
*> Panic? My kernel doesn't panic! We are doomed! DustDustDust!!!!