[Perl-unix-users] Re: Important

Tue, 09 Jan 2001 11:00:22 -0800 

Of course this is only true if the .htr extension application is
available...

-----Original Message-----
From: Cumhur KIZILARI <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>;
[EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Tuesday, January 09, 2001 6:25 AM
Subject: Important


>From
>http://www.guninski.com/iishtr.html
>Georgi Guninski security advisory #33, 2001
>IIS 5.0 allows viewing files using %3F+.htr
>
>Systems affected:
>IIS 5.0 patched against the file fragment reading vulnerability
>
>Risk: Medium
>Date: 8 January 2001
>
>Legal Notice:
>This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it
>unmodified.
>You may not modify it and distribute it or distribute parts of it without
>the author's written permission.
>
>Disclaimer:
>The opinions expressed in this advisory and program are my own and not of
>any company. The usual standard disclaimer applies, especially the fact
that
>Georgi Guninski is not liable for any damages caused by direct or  indirect
>use of the information or functionality provided by this advisory or
>program. Georgi Guninski bears no responsibility for content or misuse of
>this advisory or program or any derivatives thereof.
>
>Description:
>
>IIS 5.0 allows viewing most types of CGI files if a special request is
>performed.
>
>Details:
>The following URL:
>----------------------------------------
>http://TARGETIIS/scripts/test.pl%3F+.htr
>----------------------------------------
>reveals the content of /scrips/test.pl instead of executing it.
>This may giveway passwords in CGI and other stuff.
>If you are not patched the following may work (not discovered by me):
>http://TARGETIIS/scripts/test.pl+.htr
>This does not work for some types of .ASP if they contain certain
>characters.
>
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>_______________________________________________
>Perl-Win32-Users mailing list
>[EMAIL PROTECTED]
>http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users
>

_______________________________________________
Perl-Unix-Users mailing list. To unsubscribe go to 
http://listserv.ActiveState.com/mailman/subscribe/perl-unix-users

Reply via email to