漏洞类别:Web server漏洞等级: 
漏洞信息
Microsoft IIS (Internet Information Server) widely uses Active Server Pages (ASP). These scripts are similar to PHP pages on Apache servers. Microsoft IIS Versions 3.0 and 4.0 contain a vulnerability that allows unauthorized users to obtain the source code for an ASP file.
By appending ::$DATA to an ASP filename being requested, you can force the ASP source to be returned, instead of the ASP being executed. For example, the following URL will return the source code of default.asp:
- http://www.example.org/default.asp::$DATA
漏洞危害
If successfully exploited, unauthorized users can view the source of the ASP files on your server. ASP source codes usually contain sensitive information, such as logins and passwords, which could lead to unauthorized database access.
解决方案
For more information about this vulnerability and for links to available patches and related articles, read Microsoft Article Q188806.
Alternatively, you can upgrade to the most recent version of Microsoft IIS to eliminate this problem.
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1000444: 1000444 - IIS ASP Alternate Data Streams Vulnerability
0day
文章评论