Haren, Just to recall, there was similar IIS vulnerability in year 2007 whereby IIS would return the source of a .asp file instead of executing it when ::$DATA was appended to the name when fetching via HTTP. Though it is fixed already. But now the thing is that was one way of exploitation using ADS. Whatever is the result or impact, My idea is to think indifferently and have some test cases to check/analyse the results based on ADS. The test cases can be:
1) the default one; the above though it is fixed already. 2) findout file upload module within website (specially images as avatars which almost websites require) and upload an .jpg or whatever image file with a text file containing javascript appeded to the image using ADS concept. Now try to view the image in avatar section. (there is a XSS zero day out based on Image upload already but not related to ADS). 3) Usually rootkits use this concept to hide itself. So possibly while downloading also, we may see/observe if the ADS based file being downloaded. 4) create any .url file and append it to any legitimate files being uploaded (say as in testcase 2) and check if the webpage is being redirected to whatever is mentioned in .url. likewise, we may have multiple testcases forwhich whatever is required is our thought process beyond what we do regularly. Thanks! *** Note: Its understood that it will work only windows operating systems as ADS works in NTFS filesystem. Regards Sandeep Thakur -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
