漏洞类别:Web server漏洞等级: 
漏洞信息
Microsoft IIS Version 5.0 has a dedicated scripting engine for advanced file types, such as ASP, ASA, and HTR files. The scripting engine handles requests for these file types, processes them accordingly, and then executes them on the server.
Unauthorized users can force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine is able to locate the requested file; however, it will not recognize the file as one that needs to be processed and will send the file source to the client.
漏洞危害
Unauthorized users can exploit this vulnerability to retrieve the source of an asp file, and possibly launch further attacks on any vulnerabilities they may find in the source.
解决方案
Patch:
Following are links for downloading patches to fix the vulnerabilities:
MS00-058: Microsoft Internet Information Server 5.0
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1000790: Microsoft IIS Translate f Source Code Disclosure
0day
文章评论