lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.63.0509110101210.6560@forced.attrition.org>
Date: Sun Sep 11 06:03:11 2005
From: jericho at attrition.org (security curmudgeon)
Subject: IIS 5.1 Source Disclosure Under FAT/FAT32
	Volumes Using WebDAV


Hi Jerome,

: It is possible to remotely view the source code of web script files 
: though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be 
: vulnerable. The web script file must be on a FAT or a FAT32 volume, web 
: scripts located on a NTFS are not vulnerable.
: 
: The information has been provided by Inge Henriksen 
: <mailto:inge.henriksen%20at%20booleansoft.com>. The original article can 
: be found at: 
: http://ingehenriksen.blogspot.com/2005/09/iis-51-allows-for-remote-viewing-of.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0778

IIS 5.0 allows remote attackers to obtain source code for .ASP files and 
other scripts via an HTTP GET request with a "Translate: f" header, aka 
the "Specialized Header" vulnerability. 

--

This appears to be the same issue?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ