OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: IIS still revealing paths for web directo

Re: IIS still revealing paths for web directories

Subject: Re: IIS still revealing paths for web directories
From: Georgi Guninski (joroNAT.BG)
Date: Thu Jan 13 2000 - 04:10:29 CST

Vanja Hrustic wrote:
>
> This has been mentioned before, but it's probably good to remind
> Microsoft about some outstanding issues.
>
> Request : http://www.microsoft.com/anything.ida
> Response: The IDQ file d:\http\anything.ida could not be found.
>
> Request : http://www.microsoft.com/anything.idq
> Response: The IDQ file d:\http\anything.idq could not be found.
>
> Microsoft is running IIS5
>
> The same problem still exists on IIS4 (tested with SP5 - didn't try on
> SP6).
>
> It's not really a big deal, but they should fix it.
>

This leads to a client side problem also.
The problem is IIS does not escape the response, so one may put some
HTML and javascript in the page returned from www.microsoft.com.
Vulnerabilities:
1) For IE (tested on 5.01, probably other versions) - if the user has
put www.microsoft.com in the Trusted sites security zone, then hostile
javascript and ActiveX may be executed in the Trusted sites security
zone.
2) It is possible to spoof www.microsoft.com by just clicking on a link.
There are probably other vulnerabilities.

Demonstration - click on the links, may also be invoked by javascript:

For IE:
http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location:"+window.location))%3E.ida
(I am surprised <IMG SRC="javascript:code"> does not work in IE, one
need to reload the page in order to make it executed)

For Communicator:
http://www.microsoft.com/%3CIMG%20SRC=javascript:alert("window.location:"+window.location)%3E.ida

Regards,
Georgi Guninski
http://www.nat.bg/~joro

This archive was generated by hypermail 2b27 : Thu Jan 13 2000 - 15:13:23 CST