badWebMasters security advisory #013 IIS (patched) may execute any file in a ".asp"-directory (bad behavior)
Discovery date: 2003-05-17 Author: ben moeckel (http://distressed.de) mailto: [EMAIL PROTECTED] Description: When a directory is named like an asp-file the asp engine will parse any file in it, no matter what extension the file has. This may be dangerous when users where able to create directories and upload images in it, a malicious user could upload an asp- script with the extension of an image and run it on the server. Exploit: Create the directory "test.asp" in your webroot and place the following file in it: -- exploit.gif ------------------------------------ Hello world, I'm an image! --------------------------------------------------- Open http://localhost/test.asp/exploit.gif in your browser and you should read the message. Live sample: http://badwebmasters.net/advisory/013/test.asp/exploit.gif Vendor: Microsoft has been contacted 06-16-03 via the webform about this bug. References: aspforum.de "Verschickter IIS..." (german) - http://aspforum.de/topic.asp?TOPIC_ID=13863 Path Parsing Errata in Apache - http://cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00202.html Feedback: Comments, suggestions, updates, anything else? -> mailto:[EMAIL PROTECTED] Source: http://badwebmasters.net/advisory/013/ (text/html) _________________________________________ badWebMasters - ben moeckel security research http://badwebmasters.de http://badwebmasters.net copyright 2k1-3 by Benjamin Klimmek / Germany mailto:[EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
