Server Name Spoofing in IIS Could Lead to Code Exposure

Server NameSpoofing in IIS Could Lead to Code Exposure

ReportedAugust 22, 2005 by IngeHenriksen

VERSIONS AFFECTED

DESCRIPTION

IngeHenriksen reported a flaw in Microsoft IIS that might lead to theexposure of application code that runs on the server. An attackercould enter a fully qualified URL at a Telnet client to connect tothe Web server's listening port, and IIS might consider theconnection as coming from the local host instead of a remote client.

Thetactic works because of the way IIS handles requests. If a URL hasthe prefix http://localhost,IIS bypasses name resolution and assumes the request is from thelocal Web server console. The tecnhique doesn't work with a standardWeb browser because browsers resolve localhost as 127.0.0.1 (i.e.,the local client machine).

Applicationcode is exposed when IIS needs to use the default "Error 500"Web page template. This template relies on the Web request'sSERVER_NAME variable to determine what information to display. If thevariable contains "localhost", the templatewill displayapplication source code that wouldn't otherwise be displayed to aremote user.

VENDOR RESPONSE

Microsoft is aware of the problemhowever no response has been issued from the company as of thiswriting.