| VID |
22369 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Microsoft IIS 5.1 server is vulnerable to a script source disclosure vulnerability via an WebDAV HTTP request. Microsoft Internet Information Server (IIS) 5.1, which ships with Windows XP, could reveal the source code of server-side scripts, such as .ASP or .ASA files, though a specially crafted WebDAV HTTP request. If web script files are stored on a FAT or FAT32 partition, a remote attacker can send a file request that contains a specialized HTTP header (Translate: f), and Unicode characters instead in one of the letters of the file, to cause the Web server to send the source code of the file to the attacker. ASP source code may contain sensitive information such as usernames and passwords for ODBC connections.
* References:
http://ingehenriksen.blogspot.com/2005/09/iis-51-allows-for-remote-viewing-of.html
* Platforms Affected:
Microsoft IIS 5.1
Microsoft Windows XP Any version |
| Recommendation |
Don't use FAT or FAT32 with Microsoft IIS 5.1. You can convert a FAT or FAT32 volume to an NTFS volume without formatting the volume using convert.exe. Once you convert a drive or partition to NTFS, you cannot simply convert it back to FAT or FAT32. |
| Related URL |
(CVE) |
| Related URL |
14764 (SecurityFocus) |
| Related URL |
(ISS) |
|
