Toby wrote:
>...I ask because I just tripped over an article about IIS5
>revealing script's source if the request followed a certain

Aargh! This is a nightmare!

I've just tested on NT4 IIS4 and sure enough, if you append a +.htr to the
end of the url of a script you get sent the raw unprocessed script source.

Luckily, you only get to see the source of the script you pointed at and not
any include stuff outside the webspace so most sensible people will
hopefully be lucky enough to have their sensitive configuration information
and main program code outside the webspace. Nevertheless, if you thought the
php code in your webspace was private, forget it!

I've just done some investigating, and here's the fix (phew!).
You'll find that IIS sets up scriptmapping for the .htr extension to a dll
called ism.dll
Just get rid of the script map and the problem goes away. I don't know what
this breaks, but I don't have any .htr files so I don't really care for now!

Doing a search for ism.dll on the net has not enlightened me as to what it
actually does, but it turns up loads of pages on a buffer overflow exploit.

PS Can you make sure to CC replies direct to me as there seems to be a
glitch somewhere between my ISP and which has been preventing me
receiving list messages since yesterday morning - so it's real quiet here:)
It's no fun following all this via the archives!
Phil Driscoll
Dial Solutions
+44 (0)113 294 5112

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to