Iframe delay in loading the local drives in IE7 and IE8 can cause drive list enumeration!
Proof of Concept is available from this link:
http://plaincipher.com/demo/IE-Drive-Enum-Demo.html
Cheers,
Soroush Dalili
Mar 04
Jan 04
After OWASP updated its Top 10, now I’m very glad to quote this:
The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0.
You can read more information from these links: http://projects.webappsec.org/Threat-Classification and http://projects.webappsec.org/f/WASC-TC-v2_0.pdf
Cheers,
Soroush
Jan 03
First of all, Microsoft is one of the best companies which leads us to the better world. But, nothing is free of fault except God!
I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.
They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?
I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.
Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”. I think they should look at the shared servers default configurations as well as the dedicated ones.
Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.
PS:
You can also look at these links:
- http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/
- http://www.esecurityplanet.com/trends/article.php/3855936/article.htm
Dec 25
I have written a recursive function by using Javascript “setInterval” function which calls itself. Unfortunately, none of the last version of famous browsers such as Internet Explorer (8), Chrome (3.0.195.38), and Mozilla Firefox (3.5.6) blocks this script. Moreover, it takes more than 50% of my CPU which is Intel Core 2 Dou 2.50 GHz.
And the worst one is Mozilla Firefox which stops working after running this script instead of showing a page to stop the script.
This script is:
<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>
Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.
Dec 25
I found a vulnerability in Microsoft IIS when I was searching about a method to execute an ASP file when we can only upload a JPG file.
The result was too simple, but interesting! I need only a semicolon between the “.asp” and the “.jpg” to execute an ASP file. So, the answer was “myfilename.asp;,jpg”. I have written some information about this vulnerability in:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
I’ll try to update this PDF file if there was a need to add or change some information.
Description of this vulnerability from Secunia.com is:
Description:
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.
The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.
There are also several websites which wrote about this weakness:
1. Secunia Advisory: Microsoft IIS ASP Multiple Extensions Security Bypass
2. Securityfocus: Microsoft IIS Malformed Local Filename Security Bypass Vulnerability
3. The Register: Microsoft IIS vuln leaves users open to remote attack
4. VUPEN Security: Microsoft IIS File Extension Processing Security Bypass Vulnerability
5. Securitytracker: Microsoft Internet Information Services (IIS) Filename Extension Parsing Flaw May Let Users Bypass Security Controls
