IIS on Windows
Information leak
Path disclosure
Packetstorm, NTBugtraq
In NTBugtraq, the discussion is in the January 2000 archive, with a subject of "ASP Request Object".
I have yet to figure out what bug this represents, and hence have no IDs nor accurate Effect.
COMMAND ASP
SYSTEMS AFFECTED Win
PROBLEM Pietro Di Mosmanza found following. In ASP you have some built-in objects, one of which is the Request Object. This object retrieves the values that the client browser passed to the server during a HTTP request.
http://www.myserver.com/default.asp?variable=value Request("variable") = value
However, when the value exists of a percentage sign (which can be followed by 1 arbitrary character), Request("variable") holds some kind of path which can reveil some information about the internal structure of the website. This can be a problem when such a variable is printed directly into the HTML, or when the VBscript can't deal with bogus input.
http://www.myserver.com/default.asp?variable=%Request("variable") = <bogus_string>
On some sites it is possible to see which one of the virtual sites on the same server it is, you'll see something like "˙LM/W3SVC/1/Root/test". Look for example on Microsoft's site
http://search.microsoft.com/us/SearchMS.asp?so=RECCNT&boolean=PHRASE&intCat=0&intCat=1&intCat=2&intCat=3&intCat=4&intCat=5&intCat=6&intCat=7&intCat=8&intCat=9&p=1&nq=NEW&LOC=&qu=%
Tested with ASP version 4.02.0727, IIS 4.0, NT 4.0 sp 4.
SOLUTION
Nothing yet.
GET /SearchMS.asp?so=RECCNT&boolean=PHRASE&intCat=0&intCat=1&intCat=2&intCat=3&intCat=4&intCat=5&intCat=6&intCat=7&intCat=8&intCat=9&p=1&nq=NEW&LOC=&qu=% HTTP/1.1 Host: www.i-pi.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive