[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    RE: getting an ASP file
From:       "Calderon, Juan C (CORP, DDEMESIS)" <Juan.Calderon () ddemesis ! ge ! com>
Date:       2003-04-22 15:01:21
[Download RAW message or body]

*************
         I don't remeber what version of IIS and service pack that had a 
security flaw related to this.
         What I remember is that if you put ::$DATA before the file.asp the 
server will let you download the source.
         I mean: http://some.server.com/main.asp::$DATA
         Will appear a box to save this file, like a download, but with the 
source code of the asp page.
************

oh, that's an old trick, it is very improbable to get the file this way, since patch \
for this flaw was issued on July 1998

cheers :)


[prev in list] [next in list] [prev in thread] [next in thread]