Bug report - where?

[Anders Ljusberg]

Hi!

I believe I have found a bug in IIS5 running Win2k SP1.

When putting .asp files in a folder with a name that ends with .com - the
files are not processed by the ASP engine, but simply returned.

An example:
http://dx3-1.mind.com/sites/nisse.com/

Where can I report this bug formally?

/Anders

[Chris Crowe]

[This followup was posted to microsoft.public.inetserver.iis and a copy
was sent to the cited author.]

In article <u7i4vn$FAHA.196@cppssbbsa05>, and...@hem.passagen.se says...

> Hi!
>
> I believe I have found a bug in IIS5 running Win2k SP1.
>
> When putting .asp files in a folder with a name that ends with .com - the
> files are not processed by the ASP engine, but simply returned.
>
> An example:
> http://dx3-1.mind.com/sites/nisse.com/

I am not sure where you send it to.. I could post it to one of the
Private Microsoft newsgroups for IIS if you would like?

Of course I would give all credit to you for finding this hole.

ps: I tested it and it did fail for me as well.

--

Chris Crowe
IISFAQ Web Site
www.IISFAQ.COM

[Anders Ljusberg]

I actually found an article in the KB that matches this problem, and it's been reviewed two days ago (strangely, only a couple of hours before I found the problem...).

Q238606 - Page Contents Visible When Certain Dot Extensions Present in the Virtual Directory Name

However, it still says nothing about it beeing a problem in IIS5.

/Anders

* Sent from Devdex.com http://www.devdex.com The Web Developers Index *
The world's largest index site for web developers.

[Anders Ljusberg]

Oh, and check this out:

--- *** ---

Will this vulnerability affect the version of IIS in Windows 2000?

No.

--- *** ---

found at:
http://www.microsoft.com/technet/security/bulletin/fq99-058.asp

:-)