Updated July 2, 1998


This Is A REAL Howler...

Major New Security Bug Hits Microsoft Internet Information Server

WANT TO CATCH Microsoft with it's pants down in a seriously embarrassing way?

If you're quick enough, you can by cruising Microsoft's main search page at http://search.microsoft.com/default
.asp.

Now add ::$DATA to the URL, or click this link, http://search.microsoft.com/default
.asp::$DATA.

If you add ::$DATA to the URL, and if Microsoft hasn't fixed the problem yet, you'll be prompted to save a file to your hard drive.

Now open that file in a text editor such as Windows Notepad, and you'll be greeted with a sight that's interesting (or alarming if you're Microsoft).

There for all the world to see is a bunch of Active Server Page (ASP) scripting like the following:

<%
SPath = Request.QueryString("SPath").Item
SName = Request.QueryString("SName").Item
strCmd = Request.QueryString("CommandString").Item
strBoolean = Request.QueryString("Boolean")
intCat = CInt(Request.QueryString("intCat"))

intPlus = InStr(strCmd,"±")
If intPlus = 0 then
strCmd = strCmd
Else
strCmd = Left(strCmd, intPlus - 1)
End If
%>

Normally this ASP scripting is entirely hidden from public view, and with good reason. According to Bob Minor, owner of CyberMill, an internet service provider in St. Louis, revealing this sort of scripting creates a major security hole on the system in question.

"With knowledge of how the scripts are set up, someone can send commands to the server and potentially wreck all sorts of havoc," said Minor.

"This is easy and grotesque. It's really disturbing."

MICROSOFT WINDOWS NT Security Product Manager Karan Khanna has acknowledged to BugNet that there is a security hole in Microsoft Internet Information Server (IIS) versions 3 and 4.

If you specify a page on a server running IIS, and append ::$DATA to the URL, you will be given access to ASP scripting information.

And that's not all. The ::$DATA trick also reveals Perl scripting, CGI-bin scripting, and even online database scripting of products like WebCat.

Khanna told BugNet that fixes for the problem in both IIS 3 and IIS 4 will be posted to http://www.microsoft.com/security by the end of today, July 2.

Microsoft will also post work arounds for both version of IIS to the same page.

-- Bruce Brown



© BugNet material copyright 1994-1999 by BugNet.
® BugNet is a Registered Trademark of KeyLabs.
Astonisher.com material is

© Copyright 1973 - 2015 by Bruce Brown and BF Communications Inc.
Astonisher.com is a trademark of BF Communications Inc.

This historic replica of BugNet from the period 1994-1999
is presented by astonisher.com with the permission of BugNet.

BF Communications Inc.
P.O. Box 393
Sumas, WA 98295 USA
(360) 927-3234

Website by Running Dog


* Here's Bruce Brown's BugNet Memoir...
* Here's the free BugNet from 1999...
BugNet