SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Visual Studio Vendors:   Microsoft
Microsoft Visual Studio .NET Web Projects May Disclose the Web Directory Structure to Remote Users
SecurityTracker Alert ID:  1005127
SecurityTracker URL:  http://securitytracker.com/id/1005127
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 23 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   An information disclosure issue was reported with Microsoft Visual Studio .NET when creating new Web projects. A user with access to the project file could determine the web directory structure.

Digit-Labs reported that when a new Web project is created, Visual Studio will create a '.vbproj' file in the Web root directory. The file apparently contains the relative path filenames of all files in the project, revealing the Web site file structure.

Impact:   A user can determine the web directory structure.

[Editor's note: This is not expressly a remote information disclosure vulnerability. A remote user must be authenticated and have been granted access to the project file in order for this information to be disclosed to a remote user.]

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Visual Studio .NET


This is a multi-part message in MIME format.
--------------888CF8CB67C27244F1B9EF52
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://packetstorm.decepticons.org/advisories/misc/msvs.info.txt
--------------888CF8CB67C27244F1B9EF52
Content-Type: text/plain; charset=us-ascii;
 name="msvs.info.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="msvs.info.txt"

Here is our latest advisory, a copy is also on our web 
http://www.digit-labs.org/ .

-Greetings from GoLLuM.no

-------------------------------------------------------------------

** Digit-Labs Security Advisory (http://www.digit-labs.org/) **

Advisory Name: VS.net Web Project file reveals Website structure
Release Date: 22.Aug-2002
Application: Microsoft Visual Studio .NET
Platform: All supporting VS.NET
Severity: Low
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Unknown

Description:

When creating a new Web project Microsoft Visual Studio creates a 
file called *.vbproj
in the Web root directory. This file contains the filenames of all 
the files in the
project, thus revealing the Web site file-structure.

The name of the project is the same as the name of the *.vbproj 
file, thus if your 
project is named "myproj" your Web project file is 
named "myproj.vbproj".
Access to this Web project file would then be through 
http://target/myproj.vbproj,
often you will see that the virtual directories and the project 
name is the same,
ex. http://target/newproject/newproject.vbproj .

Example of Web project content:
...
<Files>
<Include>
<File Relpath="index.asp" Buildaction="Content"/>
<File Relpath="authenticate.asp" Buildaction="Content"/>
<File Relpath="script/authenticate.inc" Buildaction="Content"/>
<File Relpath="script/accessgranted.inc" Buildaction="Content"/>
</Include>
</Files>
...


 

________________________________________________________________
Get your own evilemail.com address at http://www.evilemail.com


 
                   

--------------888CF8CB67C27244F1B9EF52--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC