Microsoft Visual Studio .NET Web Projects May Disclose the Web Directory Structure to Remote Users
|
SecurityTracker Alert ID: 1005127 |
SecurityTracker URL: http://securitytracker.com/id/1005127
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 23 2002
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
|
Description:
An information disclosure issue was reported with Microsoft Visual Studio .NET when creating new Web projects. A user with access to the project file could determine the web directory structure.
Digit-Labs reported that when a new Web project is created, Visual Studio will create a '.vbproj' file in the Web root directory. The file apparently contains the relative path filenames of all files in the project, revealing the Web site file structure.
|
Impact:
A user can determine the web directory structure.
[Editor's note: This is not expressly a remote information disclosure vulnerability. A remote user must be authenticated and have been granted access to the project file in order for this information to be disclosed to a remote user.]
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Microsoft Visual Studio .NET
|
This is a multi-part message in MIME format.
--------------888CF8CB67C27244F1B9EF52
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
http://packetstorm.decepticons.org/advisories/misc/msvs.info.txt
--------------888CF8CB67C27244F1B9EF52
Content-Type: text/plain; charset=us-ascii;
name="msvs.info.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="msvs.info.txt"
Here is our latest advisory, a copy is also on our web
http://www.digit-labs.org/ .
-Greetings from GoLLuM.no
-------------------------------------------------------------------
** Digit-Labs Security Advisory (http://www.digit-labs.org/) **
Advisory Name: VS.net Web Project file reveals Website structure
Release Date: 22.Aug-2002
Application: Microsoft Visual Studio .NET
Platform: All supporting VS.NET
Severity: Low
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Unknown
Description:
When creating a new Web project Microsoft Visual Studio creates a
file called *.vbproj
in the Web root directory. This file contains the filenames of all
the files in the
project, thus revealing the Web site file-structure.
The name of the project is the same as the name of the *.vbproj
file, thus if your
project is named "myproj" your Web project file is
named "myproj.vbproj".
Access to this Web project file would then be through
http://target/myproj.vbproj,
often you will see that the virtual directories and the project
name is the same,
ex. http://target/newproject/newproject.vbproj .
Example of Web project content:
...
<Files>
<Include>
<File Relpath="index.asp" Buildaction="Content"/>
<File Relpath="authenticate.asp" Buildaction="Content"/>
<File Relpath="script/authenticate.inc" Buildaction="Content"/>
<File Relpath="script/accessgranted.inc" Buildaction="Content"/>
</Include>
</Files>
...
________________________________________________________________
Get your own evilemail.com address at http://www.evilemail.com
--------------888CF8CB67C27244F1B9EF52--
|
|