When you choose yes to open the file what actually happens is, it downloads
the .lnk file to your hard drive and executes it... therefore opening the
link to the file on YOUR hard drive, unless you have NetBIOS and it could
get it from the remote server that way depending if you have access or not
bla bla bla, and not the remote server. For example I created a symlink file
called 'mang.lnk' and stuck it in my wwwroot and then did a get request on
it and it returned the contents of the .lnk file.... when you click "Open"
from within IE/Netscape... it does a get request on the file and saves it to
your hard drive and runs it. Are you sure you did not try this on your own
system or a system you had access to and it followed the link and read it
from your HD? Maybe I did something wrong, [read: very tired],  but I could
not really reproduce what your talking about. Also I would not really call a
.lnk file a symlink... something done with CreateHardLink() would be more of
a "real link."

Signed,
Marc
eEye Digital Security Team
http://www.eEye.com


-----Original Message-----
From: Aris Yahnis <mig@DELTA.EDU.GR>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: Monday, June 21, 1999 5:54 PM
Subject: IIS 4.0 symlinks


|Hi,
|
|I'm sorry if this is old or has been discussed before or it is even not a
|bug...But.I have a system with IIS 4.0 installed + sp5 and i noticed
|something.If a user has on his page a file misc.lnk wich was created in
|his own probably NT box, and this file points anywhere on the web servers
|file,then when he will try to view the file he will be able to see the
|contents of the file the .lnk points to.
|
|Example xploit:
|
|Find a web hosting site,create a fictious account , make a shortcut of a
|file you would like to see ex. c:\winnt\profiles\administrator\ntuser.dat
|upload the .lnk file to the web server and then go ask for it.Answer yes
|to open the file remotely ( or something like that).
|
|Now the q: Is it a feature of IIS to follow links? or is it a bug.
|
|PS. I thought this thing over and i couldn't find a help with closing
|link-following.
|
|
|With regards Mig
|