lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <27550198$10599118423f2cf8a29c2a62.03089073@config10.schlund.de>
From: ben.moeckel at badwebmasters.net (ben.moeckel@...webmasters.net)
Subject: [bWM#013] IIS (patched) may execute any file in a ".asp"-directory (bad behavior)

badWebMasters security advisory #013 

IIS (patched) may execute any file in a ".asp"-directory (bad behavior) 

Discovery date: 2003-05-17 
  
Author:
ben moeckel (http://distressed.de)
mailto: badwebmasters@...ine.de 
 
  
Description:
When a directory is named like an asp-file the asp engine will parse any
file in it, no matter what extension the file has.

This may be dangerous when users where able to create directories and
upload images in it, a malicious user could upload an asp- script with
the extension of an image and run it on the server. 
 
  
Exploit: 
Create the directory "test.asp" in your webroot and place the following
file in it:

-- exploit.gif ------------------------------------

	Hello world, I'm an image!

---------------------------------------------------
Open http://localhost/test.asp/exploit.gif in your browser and you
should read the message.
 
  
Live sample:
http://badwebmasters.net/advisory/013/test.asp/exploit.gif 
 
  
Vendor:
Microsoft has been contacted 06-16-03 via the webform about this bug. 
 
  
References:
aspforum.de "Verschickter IIS..." (german)
- http://aspforum.de/topic.asp?TOPIC_ID=13863

Path Parsing Errata in Apache
- http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html
 
  
Feedback:
Comments, suggestions, updates, anything else?
   -> mailto:badwebmasters@...ine.de 
 
  
Source:
http://badwebmasters.net/advisory/013/ (text/html) 
 
  
_________________________________________

badWebMasters - ben moeckel security research
http://badwebmasters.de http://badwebmasters.net
copyright 2k1-3 by Benjamin Klimmek / Germany
mailto:badwebmasters@...ine.de

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ