The best place to ask is ntsecurity @
net, though depending on the version
of IIS, it is vulnerable to:
o The dot bug - where active server page URLs ended by a dot returned the
text of the server-side script rather than executing the script, possibly
exposing database passwords, SQL calls, usernames, etc.
o Buffer overflow - where characters beyond a certain URL length are
executed as console commands.
o Batch files (.bat) and command files (.cmd) used as server-side scripts
run with SYSTEM priviledge.
o Redirect - Script files output can be written to a file on the webserver,
such as http://domain.tld/scripts/scriptname%0A%0D>PATH\target.bat will
create an output file 'target.bat''.
o Truncate - If target.bat exists, the target file will be truncated.
o If the webserver is installed as a standalone domain, the server becomes
a domain controller. When the user account IIS_webserver is created, it
becomes a part of the 'DOMAIN USERS' group. Users connecting in as
'ANONYMOUS' run as 'IIS_webserver', which now runs .ASP files with 'DOMAIN
USERS' priviledges, instead of the intended 'ANONYMOUS' user.
Other NT vulnerabilites such as IP Fragmentation attacks on a system behind
a packet filter firewall can be found at http://www.ntsecurity.net/ (was my
old ntexploits list). ;) Also see http://ntbugtraq.rc.on.ca/ for the
NTbugtraq mailing list, and http://www.iss.net/ for the ntsecurity mailing list.
You can also search the Microsoft Knowledge Base for 'IIS' or 'ntsecurity'.
At 02:31 PM 7/28/97 -0700, dave kaas wrote:
>This may not be the right place to post this, and if not I apologize.
>I have seen several descriptions of security problems with CGI script
>and server side includes on web pages but have seen nothing on IIS asp
>pages. What kind of security problems, if any, exist on asp pages? I
>would think they would be similar to server side includes?
> Dave Kaas Internet: dave_kaas @
> Lockheed Martin Services Phone: (509) 376-6386
> United States Department of Energy, Richland, WA