%2E Trick

By Susam Pal on 09 Dec 2001

There are two interesting vulnerabilities in Microsoft IIS 3.0 that allow remote attackers to view the source code of dynamic web pages written using ASP. Both are related and both are due to improper input validation by IIS 3.0.

Appending Dot

The first vulnerability allows the client to retrieve the source code of an ASP script by simply appending a dot (i.e., .) to the end of the URL. For example, while an URL like

http://example.com/foo.asp

shows the output of foo.asp, the same URL when modified to

http://example.com/foo.asp.
shows its source code. See CVE-1999-0154 and CIAC:H-48 for more details on this issue.

Replacing Dot With %2E

The second vulnerability, discovered by Weld Pond, is an issue that was introduced when the first issue was fixed by Microsoft. This vulnerability allows a client to retrieve the source code of an ASP script by changing the dot in the filename with its URL-encoding, i.e., %2e. For example, while an URL like

http://example.com/foo.asp

shows the output of foo.asp, the same URL when modified to

http://example.com/foo%2easp.
shows its source code.

Note that 2e is the hexadecimal representation of the ASCII code of the dot character. Here is a tiny C program that demonstrates this:

#include <stdio.h>

int main()
{
    printf("'%c', %d, %#x\n", '.', '.', '.');
    return 0;
}
Here is the output:
$ cc foo.c && ./a.out
'.', 46, 0x2e

See CVE-1999-0253 and BID:1814 for more details on this issue.

Comments