Absent Directory Browser Argument

DOVES Vulnerability V-00109

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis

Description

Brief summary: An attacker can read some protected files using a malformed URL.

Detailed description: Microsoft's Internet Information Service by default associates file names that end in ".htr" with a DLL called "ism.dll". This DLL sees the "+" and truncates it and everything beyond. It then opens the target file and interprets it as "htr" commands. If the target file is not an ".htr" file, this causes parts of the contents to be displayed.

Components: ism.dll, Microsoft IIS 4.0, 5.0

Operating system(s): Windows NT 4.0, all versions; Windows 2000, all versionsThe attacker can view files with the privileges of IIS (usually Administrator)

How to detect:

See if your IIS honors mapping of the "htr" extension.
1. Choose Properties, theen Master Properties, then WWW Service, then Edit, then Home Directory, then Configuration.
2. If there is an entry for the ".htr" file extension, you are vulnerable.

How to fix:

Disable the mapping of the ".htr" file extension.
1. Choose Properties, theen Master Properties, then WWW Service, then Edit, then Home Directory, then Configuration.
2. Delete the ".htr" entry.
Install the appropriate patch for IIS 4.0 or for IIS 5.0.

Other information:

Keywords

input validation, htr, ism.dll, web

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: SM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. [CAN-2000-0457]

Exploits

Attacks: See Doves exploit #108

Related Information

Microsoft Knowledge Base article Q267559, GET on HTR File Can Cause a "Denial of Service" or Enable Directory Browsing, second symptom

Advisories:

ISBASE advisory SA2000-02, IS ISM.DLL truncation exposes file content ;
Microsoft Security Bulletin MS00-044, Patch Available for "Absent Directory Browser Argument" Vulnerability ; Security Focus database entry #1488, Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability

History

Who reported it: Zuo Lei in ISBASE Advisory on July 17, 2000: discovered the problem

Revision #1

Matt Bishop on 8/1/2000
Initial entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:47 GMT