Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS ASP Script Cookie Processing Flaw May Disclose Application Information to Remote Users
SecurityTracker Alert ID:  1010079
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 6 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Exploit Included:  Yes  

Description:   Aaron Newman of Application Security, Inc. reported a vulnerability in Microsoft Internet Information Server (IIS) in the processing of certain cookie values by Active Server Pages (ASP) scripts. A remote user can determine information about the ASP application.

It is reported that a remote user can send an HTTP request with an HTTP cookie value of an equal sign character ('=') to cause the target ASP script to trigger an error and display an error page. The error page may disclose potentially sensitive information, such as the name of include files or that a cookie has been read by the system, the report said.

The vendor was reportedly notified in December 2003.

Cesar Cerrudo of Application Security, Inc. is credited with discovering this flaw.

Impact:   A remote user can obtain some information about the target ASP application.
Solution:   The author indicates that IIS web servers can be configured to return custom error pages that do not reveal details about the script that caused the error, as described in:

Vendor URL: (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [AppSecInc Security Alert] Microsoft Active Server Pages Cookie Retrieval Issue

Microsoft Active Server Pages Cookie Retrieval Issue

5 May 2004

Risk Level: Low

The Active Server Pages (ASP) engine does not properly handle special
cookie values when they are retrieved. Because of this, an unhandled
error is returned to the client. This behavior can be used maliciously
to gather sensitive information from web applications.

Versions Affected:
All Microsoft Internet Information Server (IIS) web applications using
Active Server Pages (ASP).

ASP is an extension to IIS which allows HTML pages to be dynamically
generated on the server side.  When the server receives a request for an
ASP file, it processes server-side scripts contained in the file to
build the page that is sent back to the browser.  ASP files can also
contain HTML, including related client-side scripts, as well as calls to
COM components that perform a variety of tasks such as connecting to a
database or processing business logic.  ASP pages are supported on all
Microsoft Web Servers including Personal Web Server and Internet
Information Server.

ASP exposes many objects to enable easy development of web applications.
These objects are used to allow browsers and web applications to easily
exchange information over HTTP.  When a special value, ("="), is sent in
a Cookie header value and an ASP page tries to access this value, an
unhandled error is returned by the ASP engine.

Example HTTP request:

GET /somepage.asp HTTP/1.0
Host: hostname
Cookie: =

Source code snippet for somepage.asp:

value=request.cookies("cookiename") 'here the error is triggered

Value returned by the IIS server:

Unespecified error
/, line 2

In this example, the attacker was able to determine the name of the
include file by setting the cookie to "=". Revealing information such as
the include file name could be used to find other more sensitive

Other possible problems include being able to tell when a cookie is
being read. If a cookie is set to "=" and the following return value is

Unespecified error
/somepage.asp, line 19

The attacker has verified that the cookie was accessed on this page.

This vulnerability can be executed remotely and allows an attacker to
map web application logic determining when cookies are read, etc... This
allows an attacker to generate errors messages possibly exposing
sensitive information that can be used in further attacks.

IIS Web Servers should be configured to return custom error pages which
do not reveal details about the script which caused the error.
Information about how to create custom error pages is available at

Microsoft was contacted on December 2003.

This vulnerability was researched and discovered by Cesar Cerrudo of
Application Security, Inc.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC