VULHUB ™

Microsoft IIS 5.0 ships with a sample script that may be used to view the source code of other scripts in the sample scripts (/IISSAMPLES) directory. This script is designed to only display files with a .html, .htm, .asp or .inc extension. However, a flaw exists which will allow an additional character to be added to the file extension. This may allow an attacker to view, for example, .aspx files used by the .NET architecture. If used in conjunction with the issues discussed in BID 4525, this may expose files outside of the sample script directory.

Microsoft IIS 5.0 ships with a sample script that may be used to view the source code of other scripts in the sample scripts (/IISSAMPLES) directory. This script is designed to only display files with a .html, .htm, .asp or .inc extension. However, a flaw exists which will allow an additional character to be added to the file extension. This may allow an attacker to view, for example, .aspx files used by the .NET architecture. If used in conjunction with the issues discussed in BID 4525, this may expose files outside of the sample script directory.