SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) May Disclose PHP Scripting Source Code
SecurityTracker Alert ID:  1002651
SecurityTracker URL:  http://securitytracker.com/id/1002651
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 29 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): IIS 4, PHP4
Description:   A vulnerability has been reported in Microsoft Internet Information Server (IIS) when running PHP scripting and when configured on an NTFS-based file system. A remote user can obtain the source code of PHP pages.

With a Microsoft Windows NT server running IIS and PHP scripting, a remote user can obtain the source code for PHP scripts using the following type of URL:

http://[targethost]/file.php::$DATA

In July 1998, a similar problem was reported regarding the disclosure of ASP source code. For the original report, see:

http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00360.html

Microsoft provided a fix for the original problem. For the Microsoft fix, see:

http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP

In Microsoft's knowledge base article, the flaw is blamed on the ability of IIS to access the NTFS data stream attribute directly.

It is reported that the vendor fix from 1998 does not prevent PHP source code from being viewed by remote users.

Impact:   A remote user can obtain PHP script source code from the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT)

Message History:   None.


 Source Message Contents

Subject:  data stream bug still alive?


Data Stream Bug may still work (on a unsual configuration)
[===================================]

+ Past Problem
The Windows NT file system, NTFS, support multiple data streams within a
file, been DATA the main content stream.
Was reported on July 8, 1998 by Paul Ashton on this mailing list the
posibility of get remotely by IIS the source code of files like an ASP
script. This was done by requesting the file and ::$DATA. Microsoft relase a
fix, and the problem was solve on the subsequent Service Packs for Windows
NT.

+ Present Problem
Yet, this problem -it seems to us- that on some unusual configuration as a
Windows NT box, with IIS and PHP scripting, persist. In our tests on two
separete Windows NT boxes, with IIS 4, PHP4, the fix available for the bug
and the latest SP6a, is still possible to obtain the source of PHP files.
eg. http://www.server.com/file.php::$DATA

+ Implications
Besides the obvious vulnerability, this show that the fix given by Microsoft
far from solving the real problem, it just did the the "workarounds" on the
registry on how to manage specific extensions (.asp, .pl, and so on)
excluding .php.

+ Final
Anyone how can confirm or refute this please post it.


+ More Informtion
":$DATA Stream Name of a File May Return Source"
http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP

"HOW TO: Use NTFS Alternate Data Streams"
http://support.microsoft.com/support/kb/articles/Q105/7/63.ASP


Roberto Alamos M.    (theye@350cc.com)
Carlos Gaona U.    (ndr113@350cc.com)
www.350cc.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC