Microsoft IIS UNC Mapped Virtual Host Vulnerability
BID:1081
Info
Microsoft IIS UNC Mapped Virtual Host Vulnerability
| Bugtraq ID: | 1081 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 30 2000 12:00AM |
| Updated: | Mar 30 2000 12:00AM |
| Credit: | Discovered by Adam Coyne <[email protected]> and publicized in Microsoft Security Bulletin (MS00-019) on March 30, 2000. |
| Vulnerable: |
Microsoft Site Server Commerce Edition 3.0 i386 Microsoft Site Server Commerce Edition 3.0 alpha Microsoft Proxy Server 2.0 Microsoft IIS 5.0 Microsoft IIS 4.0 alpha Microsoft IIS 4.0 Microsoft Commercial Internet System 2.5 Microsoft Commercial Internet System 2.0 |
| Not Vulnerable: | |
Discussion
Microsoft IIS UNC Mapped Virtual Host Vulnerability
If a virtual host root is mapped to a UNC share, a backward slash "\" appended to an ASP or HTR extension in a URL request to that virtual host will cause Microsoft Internet Information Server to transmit full source code of the file back to a remote user. Files located on the local drive where IIS is installed is not affected by this vulnerability.
If a virtual host root is mapped to a UNC share, a backward slash "\" appended to an ASP or HTR extension in a URL request to that virtual host will cause Microsoft Internet Information Server to transmit full source code of the file back to a remote user. Files located on the local drive where IIS is installed is not affected by this vulnerability.
Exploit / POC
Microsoft IIS UNC Mapped Virtual Host Vulnerability
http://target/file.asp\
http://target/file.asp\
Solution / Fix
Microsoft IIS UNC Mapped Virtual Host Vulnerability
Solution:
Microsoft has released patches which rectify this issue. It should be noted that Proxy Server, Site Server, Site Server Commerce Edition and Microsoft Commercial Internet System run atop IIS. Customers using these products should apply the patch appropriate for the version of IIS they are running.
Microsoft IIS 4.0 alpha
Microsoft IIS 4.0
Microsoft IIS 5.0
Solution:
Microsoft has released patches which rectify this issue. It should be noted that Proxy Server, Site Server, Site Server Commerce Edition and Microsoft Commercial Internet System run atop IIS. Customers using these products should apply the patch appropriate for the version of IIS they are running.
Microsoft IIS 4.0 alpha
-
Microsoft Q249599
http://download.microsoft.com/download/iis40/Patch/4.2.736.1/ALPHA/EN- US/uncsec4a.exe
Microsoft IIS 4.0
-
Microsoft Q249599
http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4/EN-US /uncsec4i.exe
Microsoft IIS 5.0
References
Microsoft IIS UNC Mapped Virtual Host Vulnerability
References:
References: