Microsoft IIS File Fragment Disclosure Vulnerability

Microsoft IIS is shipped with a number of HTR scripts, which are processed by ISAPI extensions.

Due to the handling of requests by the ISAPI extensions, it's possible for a remote user to disclose various known files. A maliciously crafted URL could cause IIS to use .htr ISAPI extensions to process requests of other file types, and segments of the file could be disclosed to the attacker. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim.

It should be noted that this vulnerability is a variation of a previously discovered bug (refer to Security Focus ID 1193 and ID 1488).

This vulnerability makes it possible to read a fragment (till the first "<%") of any file under the Web root. As a result, a malicious user can gain access to sensitive information, such as the name of the database used in the comments of an .asp file. The information obtained could then be used in further attacks against the host.

Microsoft released patches to resolve this issue:

Microsoft IIS Version 5.0 Patch Q285985_W2K_SP3_x86_en.exe

Microsoft IIS Version 4.0 Patch frgvuli.exe

Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1000613: IIS 5.0 allows viewing files using %3F+.htr