L0pht Security Advisory

                    Advisory released Mar 19 1997

                  Application: Microsoft IIS 3.0

             Vulnerability Scope: IIS 3.0 w/latest hot-fixes
                                  dated Feb 27 14:22:00

          Severity: Users can read the server side script
                    in .asp, .ht., .id, .PL files
                      			
                      Author: weld@l0pht.com

Overview:

Microsofts IIS 3.0 supports server side scripting using "Active Server
Pages" or .asp files.  These files are meant to execute and not be
visible to the user.  These scripts may contain sensitive information
such as SQL Server passwords. These files can be downloaded and
viewed instead of executed by replacing '.' in a URL with a '%2e'.

Description:

A problems was discovered in IIS 3.0 that allowed users to read the
contents of .asp files by appending a '.' or a series of '.'s to the
end of a URL:

          http://www.mycompany.com/default.asp 
becomes
          http://www.mycompany.com/default.asp. 

Microsoft acknowledged the problem and released a hot-fix patch to IIS 3.0.
This is available from

    http://www.microsoft.com/iis/iisnews/hotnews/security.htm

This hot-fix solved the trailing '.' problem but opened up a new hole which
allows the same results - viewing the .asp file instead of executing it.

This is accomplished by replacing the '.' in the filename part of a URL
with a '%2e', the hex value for '.':

          http://www.mycompany.com/default.asp
becomes
          http://www.mycompany.com/default%2easp 

Your browser will prompt you to save the file to disk where you can then
view the contents of the .asp file.

Web sites that have not installed the Microsoft IIS 3.0 hot-fix are not
affected by this problem although the trailing '.' method still works to
display the contents of the .asp file.

Microsoft has been notified of this problem.

---
Check out http://www.l0pht.com/advisories.html for other l0pht advisories
---