Perl.exe and IIS security advisory

mnemonixGLOBALNET.CO.UK

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jason Witty: "Re: Outlook 98 Security "Feature""
• Previous message: Valdis.KletnieksVT.EDU: "Re: Outlook 98 Security "Feature""
• Next in thread: Tabor J. Wells: "Re: Perl.exe and IIS security advisory"

There is a problem with perl.exe similar to the issue discussed in KB
article Q193689 where the physical disk location of a virtual web directory
can be ascertained.

In all versions of IIS, where a  website has been configured to interpret
perl scripts using the perl executable (perl.exe), a problem exists where a
request for a non-existent file will return the physical location on a disk
of a web directory. A request for:

http://www.server.com/scripts/no-such-file.pl

will return information similar to the following:

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Can't open perl script "C:\InetPub\scripts\no-such-file.pl": No such file or
directory

Previously this was a problem when requesting a non-existent .IDC file but
this was resolved with Service Pack 4.

To resolve this problem in IIS 2 and 3 you can use perlis.dll, the ISAPI
version of the perl interpreter,  instead of the executable. You can  use
this in IIS 4 as well, however, if you still want to use perl.exe you can
configure IIS to check for the file's existence.

NTInfoScan, downloadable from
http://www.infowar.co.uk/mnemonix/ntinfoscan.htm , checks for this problem
and the .IDC issue as well as other security checks.

Cheers,
David Litchfield

• Next message: Jason Witty: "Re: Outlook 98 Security "Feature""
• Previous message: Valdis.KletnieksVT.EDU: "Re: Outlook 98 Security "Feature""
• Next in thread: Tabor J. Wells: "Re: Perl.exe and IIS security advisory"