COMMAND

	IIS sample script directory traversal vulnerability

SYSTEMS AFFECTED

	IIS 5.0

PROBLEM

	The IIS developers actually put some thought into securing  this  sample
	script. Unfortunately for them and their user base,  they  didn\'t  take
	into account the Unicode character set when checking the path passed  to
	the script.
	

	The function  fValidPath  in  CodeBrws.asp  has  the  following  comment
	placed above it:
	        

	        REM **************************************

	        REM  intended behavior:

	        REM allow access to only .asp, .htm, .html, .inc files

	        REM in some directory starting from /IISSAMPLES

	        REM and without .. in the path

	        REM **************************************      

	

	The fValidPath function first  checks  to  see  if  the  base  directory
	starts with \"/IISSAMPLES\", then verifies that the last  characters  of
	the request are one of the allowed extensions,  and  finally  checks  to
	see if the \"..\" sequence is anywhere in the string.
	        

	The problem is that \"..\" can be represented a  number  of  other  ways
	using  the  Unicode  character   set.   For   instance,   the   sequence
	%c0%ae%c0%ae will be decoded as two periods by  IIS,  but  will  not  be
	caught by the InStr(1,strPath,\"..\",1) code in the ASP  script.  So  to
	create a request which  passes  the  input  filters  but  retrieves  the
	source of default.asp...
	         

	/iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp

	

SOLUTION

	Remove the /IISSamples virtual directory  using  the  Internet  Services
	Manager.  If  for  some  reason  this  is  not  possible,  removing  the
	following ASP script will fix the problem (Assuming  you  installed  IIS
	in c:\\inetpub) :
	    

	c:\\inetpub\\iissamples\\sdk\\asp\\docs\\CodeBrws.asp