SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS 4.0 Configuration Error May Allow Remote Users to Obtain Physical Directory Path Information
SecurityTracker Alert ID:  1002733
SecurityTracker URL:  http://securitytracker.com/id/1002733
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 13 2001
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): IIS 4.0
Description:   Hackemate.com reported an information disclosure vulnerability in Microsoft IIS 4.0 web server using ASP pages when not properly configured. The server may disclose physical path information to remote users.

It is reported that, if not properly configured to turn off ODBC error logging, the server may return the physical path of the directory in response to certain default.asp URL requests.

A demonstration exploit transcript is provided in the Source Message.

Impact:   A remote user may be able to obtain physical path information from the web server.
Solution:   It is reported that detailed ODBC error logging can be turned off to avoid disclosing this information.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (NT)

Message History:   None.


 Source Message Contents

Subject:  Weakness in default.asp [Hackemate.com Research]


Research by www.hackemate.com

This weakness was found on some IIS 4.0 servers
with the next characteristics or similar:

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0
Date: Mon, 12 Nov 2001 19:24:52 GMT
Location: http://www.tectimes.com/ppal.asp
Connection: Keep-Alive
Content-Length: 153
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGQGQQQCI=CINJJCOADDBCMOCEILCBCCDB; path=/
Cache-control: private

When you ask for a certain URL, it shows the real path of
the Web Site files in the server.
It can be exploited this way:
http://www.website.com/default.asp?sector=anything

For example:
http://www.tectimes.com/SistemaMas/default.asp?sector=lamers

It will respond with the nexy data:


error '80020009'
Exception occurred.

D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm, line 74


As you can see, it reveals the real path of
the site directory.

The HTML code of the response:

<SCRIPT LANGUAGE="JavaScript">
function PopUp(destino)
{
        var ventana = window.open(destino, "_blank", "left=0,top=0,width=790,height=520,toolbar=no,location=no,status=yes,menubar=no,resizable=yes,scrollbars=yes");
}
function sugerencias(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=320,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=no')
}

function comentarios(d)
{
        var v=window.open(d + "&title=" + document.title, '_blank', 'left=0,top=0,width=340,height=380,toolbar=no,location=no,status=yes,menubar=no,resizable=no,scrollbars=yes')
}
</SCRIPT>
 <font face="Arial" size=2>error '80020009'</font>
<p>
<font face="Arial" size=2>Exception occurred.
</font>
<p>
<font face="Arial" size=2>D:\SITIOS_WEB\TECTIMES\NUEVO\SISTEMAMAS\../body.htm</font><font face="Arial" size=2>, line 74</font>

---------------
     I will keep on investigating this and send you some more
information as soon as I get it.
            Greetz from Argentina

KerozenE 1999-2001 c0oL!
ICQ: XXXXXXXX
*********************************
Webmaster of www.hackemate.com.ar
krzn@softhome.net
*********************************
Moderator of HACKEMATE Security bulletin
http://www.eListas.net/lista/hackemate/alta
hackemate-alta@Elistas.net
*********************************
Editor of the EZine HC&KTM
Http://www.hackemate.com.ar
hackemate-alta@Elistas.net
*********************************


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC