IIS 5.0 Exposes Source Code

 

Reported August 14, 2000 by
Microsoft

VERSIONS AFFECTED
  • Microsoft Internet Information Server 5.0

DESCRIPTION

B
y sending a specifically crafted URL that contains a specialized header along with particular characters at the end of the URL, normal script processing can be bypassed to expose source code embedded into Web-related files.

DEMONSTRATION

By sending a GET request with a specialized header that contains "Translate: f" along with a URL that has a backslash on the end, the server forego script processing and send the source code to the end user's browser.

VENDOR RESPONSE

Microsoft issued FAQ #FQ00-058, Support Online article Q256888, as well as a patch for IIS 5.0. In addition, Microsoft's bulletin points out that users can load SP1 for windows 2000, which eliminates some seventeen security-related problems.

CREDIT
Discovered by Microsoft

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish