COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 5 patched against the file fragment reading vulnerability

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #33.
    IIS  5.0  allows  viewing  most  types  of  CGI files if a special
    request is performed.  The following URL:

        http://TARGETIIS/scripts/test.pl%3F+.htr

    reveals the  content of  /scrips/test.pl instead  of executing it.
    This may giveway  passwords in CGI  and other stuff.   If you  are
    not patched the following may work (not discovered by me):

        http://TARGETIIS/scripts/test.pl+.htr

    This does not work for some types of .ASP if they contain  certain
    characters.   This  works  also  under  IIS4  - global.asa exposed
    fully, .asp  files exposed until the first entry of "<%" (begin of
    script block).

    Moran sent following to MS.  He did as follow:

        https://mysite/checkuser.asp <https://mysite/checkuser.asp>

    The asp  making a  check with  the SQL  server for  user name  and
    password and he got error of unknown login ID.  That's fine.

    BUT when he did:

        https://mysite/checkuser.asp%3F+.htr
        <https://mysite/checkuser.asp%3F+.htr>

    He got blank page and when he view the source he got this line:

        <!--#include file="Conn.asp"-->

    so  attacker  now  can  know  in  which  file  his DSN details are
    located.

SOLUTION

    One of possible workarounds -  use MS Script Encoder or  don't use
    .htr at all.  Also, see MS01-004.