Somebody in a previous mail posted:
>> And something else... I notice handler mapped file extensions
>> reveal system file paths for web directories..
>> ie: try (.idq, .idc, .stm, .pl, .cgi) depending on what is mapped.
>> example : http://www.microsoft.com/badidea.stm
>> Returns "Error processing SSI file 'd:\http\badidea.stm'"
But it's even worse than that, if you take a simple URL, based
on the above problem which I also discovered, like:
http://www.victim.com/asp/something.stm/asp/Index.asp
you get the raw asp code for the file INDEX.ASP (or anything else.)
The handler returns the raw code of the file without going through
PERL 5 (or the appropriate programming language), these leaves
previously undiscovered problems open for attack. (Although most of
the programs are well protected against buffer-overloads, these script
can be read and the information gained can be used to "crack" the
site.)
A related problem is the ability to transfers the
sub-directories, because the .STM file reads firstly what's in the
http://www.victim.com/ you are able to go from 'd:\main\WWW\' to any
other directory within this hierarchy.
Example:
http://www.victim.com/asp/something.stm
Returns "Error processing SSI file 'd\main\WWW\something.stm'"
http://www.victim.com/asp/something.stm/something.asp
Returns the raw "something.asp" code in the directory 'd\main\WWW\'
And,
http://www.victim.com/asp/something.stm/asp/something.asp
Returns the raw "something.asp" code in the directory
'd\main\WWW\asp\'
This includes any other files you've included as information
handlers, ( Java class files, VB files, etc...) even encrypted
password files. As long as you know the file names you can access the
raw code. (This also means you can download it.)
I'd like to thank "Micha³ Zalewski"
<lcamtuf@boss.staszic.waw.pl> for his help in discovering this
problem. I'll further investigate this problem.
blaze your trail!
-- David DuneUnsolicited commercial email read for $500 per message.