Affected Software:
Microsoft IIS 7.5 with configured Classic ASP and .NET Framework 4.0
installed (.NET Framework 2.0 is unaffected, other .NET frameworks have not been tested) (tested on Windows 7)
Details:
By appending ":$i30:$INDEX_ALLOCATION" to the directory serving the classic ASP file access restrictions can be successfully bypassed.
Take this Example:
1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files)
2.) There is a password protected directory configured that has administrative asp scripts inside
3.) An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name
4.) IIS/7.5 gracefully executes the ASP script without asking for proper credentials
No comments:
Post a Comment