[ Hackerlink ] ASP Request Object reveals sensitive information about an IIS server

Fri, 21 Jan 2000 02:58:17 -0800 

          ASP Request Object reveals sensitive information about an IIS server
----------------------------------------------------------------------------
----


SUMMARY

ASP has some built-in objects, one of which is the Request Object. This 
object retrieves the values that the client browser passed to the server 
during an HTTP request.
A security hole in the request object can be used to gather sensitive 
information about the IIS server (for example the web server directory 
location).

DETAILS

Vulnerable systems:
Internet Information Server 4.0 (tested under Windows NT with SP 4 and ASP 
version 4.02.0727)

When the value is used with a percentage sign (which can be followed by 
one arbitrary character), Request("variable") holds some kind of path 
which can reveal some information about the internal structure of the 
website.

This can be a problem when such a variable is printed directly into the 
HTML, or when the VBscript can't deal with bogus input.

General example:
http://www.example.com/default.asp?variable=%
Request("variable") = <bogus_string>

On some sites it is possible to see the location of the virtual web site. 
The result will be something like: "?LM/W3SVC/1/Root/test"

This problem exists on Microsoft's site:
 
<http://search.microsoft.com/us/SearchMS.asp?so=RECCNT&boolean=PHRASE&intCat
=0&intCat=1&intCat=2&intCat=3&intCat=4&intCat=5&intCat=6&intCat=7&intCat=8&i
ntCat=9&p=1&nq=NEW&LOC=&qu=%>
http://search.microsoft.com/us/SearchMS.asp?so=RECCNT&boolean=PHRASE
&intCat=0 &intCat=1&intCat=2&intCat=3&intCat=4&intCat=5&intCat=6&intCat=7 
&intCat=8&intCat=9&p=1&nq=NEW&LOC=&qu=%.

(NOTE: URL may be wrapped, but it should be entered in one line)


ADDITIONAL INFORMATION

No fix has been made available at this time.

The information was provided by:  <mailto:[EMAIL PROTECTED]> PietroDi 
Mosmanza.



-------
AFLHI 058009990407128029/089802---(102598//991024)


 http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX :: 
 http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
 Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
 -------------------------------------------------------------------
 untuk berhenti kirim  email  ke  [EMAIL PROTECTED]
 untuk melihat peraturan kirim email  ke  [EMAIL PROTECTED]
 arsip berada di  http://www.mail-archive.com/[email protected]

Kirim email ke