This applies as well to perl and cgi scripts (cgi in iis3.0) For example: http://www.activestate.com/lyris/lyris.pl::$DATA MS hasn't fixed their own site (heh), but they promise a fix today. http://www.microsoft.com/default.asp::$DATA In the meantime, Christoph Wille <Christoph.Wille@softwing.com> from Sofwing has graciously made available an IIS ISAPI filter that will protect a site from the ::$DATA vulnerability. You can find it at http://www.softwing.com/iisdev/ddatafix/ Andrew -----Original Message----- From: Manar Hussain <manar@ivision.co.uk>
This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it as it's something people here may well want to consider and pass on to customers with NT servers.
Another MS security whole allows people to access the code for ASP/ASA/ColdFusion pages by adding ::$data to the URL.
E.g.
http://www.allaire.com/handlers/index.cfm::$DATA
http://www.watford.co.uk/global.asa::$DATA
http://www.datareturn.com/av-asp.asp::$DATA
I understand that using SiteServer or making the file non-readable (but retaining execute permissions!) "solves" the problem.
Regards,
Manar