By appending ::$DATA to .asp URLs you are able to download the ASP source code from Microsoft web servers [from http://www.rootshell.com/ ] Date: Tue, 30 Jun 1998 15:27:32 +0200 From: Paul Ashton Sender: Windows NT BugTraq Mailing List Subject: ASP vulnerability with Alternate Data Streams Following on from the last .asp vulnerability which applied to URLs ending in spaces, and the previous that allowed .asps to be read if they end in ".", it turns out that there is yet another due to Alternate data streams. The unnamed data stream is normally accessed using the filename itself, with further named streams accessed as filename:stream. However, the unnamed data stream can also be accessed using filename::$DATA. If you open http://somewhere/something.asp::$DATA it turns out that you will be presented with the source of the ASP instead of the output. Deja vu?! It is left as an exercise for the reader to thing of further implications in other programs running on NT. Obviously, anything that to tries to restrict access based on filename instead of ACLs is going to have a hard time after this and the other recent revelations. Paul --------------------------------------------------------------------------- Date: Thu, 2 Jul 1998 09:42:28 -0700 From: Karan Khanna Subject: ASP vulnerability with Alternate Data Streams Microsoft has a fix for this issue identified by Paul Ashton for both IIS 3 and IIS 4. This is currently in testing and will be posted today. Please visit http://www.Microsoft.com/security for a description of the issue and the location for the fix. --------------------------------------------------------------------------- Date: Wed, 1 Jul 1998 22:30:57 -0400 From: Russ Subject: Re: Alert: Microsoft Security Notification service First, a clarification to the "Disable READ Access" workaround statement. You can prevent the ASP's from being viewed by disabling READ access within MMC for the ASPs. If you disable READ access for your entire site (or all files, like .gif, .htm, .etc) then those files will not be displayed at all. ASPs need execute only, all non-executing files need READ access to display normally. Second, Microsoft have been notified. Expect a fix announcement shortly. Third, I was able to talk to Bob Denny (author of O'Reilly's WebSite Pro), it is not affected by this exploit. I was not able to find a contact at Netscape to ask. Cheers, Russ