Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Question, Hit highlighting vulnerability.

Status
Not open for further replies.
wduty

wduty

Programmer
Jun 24, 2000
271
US
There is a vulnerability in IIS4.0 which allows for a user to view the asp source code of a given page on the server. It works like this:<br><br>Suppose you have an asp page at:<br><br><A HREF=" TARGET="_new"> you insert the domain name and file name into the following formula:<br><br><font color=red>DOMAINNAME</font>/null.htw?CiWebHitsFile=/<font color=red>FILEPATH</font>%20&CiRestriction=none&CiHiliteType=Full<br><br>like this,<br><br><A HREF=" TARGET="_new"> type this into your browser, in some cases you will see the server source code for the asp page. It doesn't always work but I've looked at the source code for a number of large sites this way. I know Microsoft has a patch for this but I can't find it. Has any one dealt with this problem and worked with the patch?<br>Any comments or information greatly appreciated (as well as any other security holes anyone might know about regarding asp and IIS4.0)<br><br><br> <p>--Will Duty<br><a href=mailto:wduty@radicalfringe.com>wduty@radicalfringe.com</a><br><a href= > </a><br>
 
Sort by date Sort by votes
Karl:<br><br>Provide us the url link. so that i can read more details.<br><br>Thanks,<br><br>Anand
 
Upvote 0 Downvote
Actually I am running an IIS4.0 server with &quot;Option Pack 4&quot; and I can still see all my source code. Is there a difference between &quot;Service Pack&quot; and &quot;Option Pack&quot;? <p>--Will Duty<br><a href=mailto:wduty@radicalfringe.com>wduty@radicalfringe.com</a><br><a href= > </a><br>
 
Upvote 0 Downvote
yes there is. Service Packs fixes known bugs, and etc, Option pack adds features. I do not know the URL for the Service pack location at this moment, I will find it. <p>Karl<br><a href=mailto:kb244@kb244.8m.com>kb244@kb244.8m.com</a><br><a href= </a><br>Experienced in : C++(both VC++ and Borland),VB1(dos) thru VB6, Delphi 3 pro, HTML, Visual InterDev 6(ASP(WebProgramming/Vbscript)<br>
 
Upvote 0 Downvote
<A HREF=" TARGET="_new"> you go. <p>Karl<br><a href=mailto:kb244@kb244.8m.com>kb244@kb244.8m.com</a><br><a href= </a><br>Experienced in : C++(both VC++ and Borland),VB1(dos) thru VB6, Delphi 3 pro, HTML, Visual InterDev 6(ASP(WebProgramming/Vbscript)<br>
 
Upvote 0 Downvote
Now question is now, can anyone find any security fixes for PWS4? <p>Karl<br><a href=mailto:kb244@kb244.8m.com>kb244@kb244.8m.com</a><br><a href= </a><br>Experienced in : C++(both VC++ and Borland),VB1(dos) thru VB6, Delphi 3 pro, HTML, Visual InterDev 6(ASP(WebProgramming/Vbscript)<br>
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
fso Question 1
Replies
3
Views
166
Offera
Offera
leifoet
  • Locked
  • Question
Insert (new) records in a table => question about the inputscreen
2
Replies
20
Views
348
ChrisHirst
ChrisHirst
Blueie
  • Locked
  • Question
Correct syntax question 2
Replies
4
Views
123
Blueie
Blueie
PaulSc
  • Locked
  • Question
Some help please - asp/javascript security
Replies
2
Views
121
BigRed1212
BigRed1212
ahoodin7
  • Locked
  • Question
I have a question about loading Act 1
Replies
5
Views
133
MarkSweetland
MarkSweetland

Part and Inventory Search

Sponsor

Back
Top