-----[ www.TheCyberUnderground.com

ASP File Disclosure Multiple Vulnerabilities
vulnerability from: bugtraq
additional research by: Kurruppt

Vulnerable: IIS 2, IIS 3, IIS 4 (possibly IIS 5)

1)

The following files:

showcode.asp
codebrws.asp

will reveal the source of any ASP script on the host.  This is a problem since many asp scripts
hold sentative information, such as ip addresses, usernames, passwords, odbc and sql connectivity
info, and so on.  Any cgi vulnerability skanner (webchk, whiske, nss, cerberus) will help you 
find the path to these files.  A url in the form:

/path/to/showcode.asp?/somescript.asp

will often reveal the source to somescript.asp.  Even more dangerous is:

/path/to/showcode.asp?/../../../win.ini

or

/path/to/codebrws.asp?/../../../winnt/repair/sam._

2)

Appending the following characers to an asp file may reveal its source:

.htw (somefile.asp.htw)
::%2E
$::DATA

Many IIS 4 boxes are still vulnerable to these attacks.  Especially vulnerable are scripts that
connect to SQL servers or mail gateways that use passwords to connect.