Security bugs in Microsoft IIS...

["Robert S. Thau" <rs...@ai.mit.edu>]

Note that fixes for this are available, but still, it's pretty atrocious
that this slipped through in the first place.  Maybe it's time to download
that FrontPage Shotof Excedrin and start throwing brickbats at it...


(See www.stuff.com for one available patch, and note that Microsoft
claims this is fixed in their latest service pack).

Subject: Security problem with IIS 
Date: Fri, 10 May 96 00:52:14 GMT 
From: ambc@ci.ucp.pt 
Organization: telepac 
Newsgroups: comp.security.misc 


We have come across to what seems to be a security problem. 
When you have an IIS server installed in the standard way and send the 
following request to it 

http:////../../../winnt35/win.ini 

(where xxxx is the domain and yyyy a subdirectory of wwwroot) 

you get the win.ini file. 
Obviously you can get any other file. 

It is also possible to execute any external command by sending the following 
request: 

http:///scripts//../../../winnt35/system32/xcopy.exe?c:\autoexec.bat c:\winnt35 

We have tried this in several servers running IIS and it worked on all of 
them. 

Is there any way to prevent this ?!