Signature Detail

HTTP: IIS Script Source Disclosure

This signature detects attempts to exploit a vulnerability in Microsoft IIS Web server. Attackers can request data using the "Translate: f" header field to cause un-patched versions of IIS to display the requested file's source code. A successful attack can allow attackers to view proprietary code or discover security holes in script files.

Extended Description

Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client.

Affected Products

• Microsoft IIS 5.0

References

• BugTraq: 1578
• CVE: CVE-2000-0778
• URL: http://www.microsoft.com/technet/security/bulletin/fq00-058.mspx
• URL: http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0080.html