|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ASP vulnerability with Alternate Data Streams
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: ASP vulnerability with Alternate Data Streams
- From: Paul Ashton <paulARGO.DEMON.CO.UK>
- Date: Tue, 30 Jun 1998 15:27:32 +0200
- Reply-To: Paul Ashton <paulARGO.DEMON.CO.UK>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Following on from the last .asp vulnerability which applied to URLs ending in spaces, and the previous that allowed .asps to be read if they end in ".", it turns out that there is yet another due to Alternate data streams. The unnamed data stream is normally accessed using the filename itself, with further named streams accessed as filename:stream. However, the unnamed data stream can also be accessed using filename::$DATA. If you open http://somewhere/something.asp::$DATA it turns out that you will be presented with the source of the ASP instead of the output. Deja vu?! It is left as an exercise for the reader to thing of further implications in other programs running on NT. Obviously, anything that to tries to restrict access based on filename instead of ACLs is going to have a hard time after this and the other recent revelations. Paul
- Prev by Date: Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers
- Next by Date: Re: MS SQL Server 6.5 stores password in unprotected area of registry
- Prev by thread: MS SQL Server 6.5 stores password in unprotected area of registry
- Next by thread: ASP vulnerability with Alternate Data Streams
- Index(es):