There is definitely a security hole here. I don't care who says there is not. I went to bugtraq, d/l'ed the exploit perl script and ran it against my work web server specifiying an.asp page as the argument and it displayed the entire.asp page with all scripts visible. If there had been connection strings (ie for database connectivity) they *would* have been visible to me. This is *definitely* a security hole!!! I have since deleted the.dll file at fault and the exploit no longer works....
Slashdot Mirror
There is definitely a security hole here. I don't .asp page as the .asp page .dll file at fault and the exploit
care who says there is not. I went to bugtraq,
d/l'ed the exploit perl script and ran it against
my work web server specifiying an
argument and it displayed the entire
with all scripts visible. If there had been
connection strings (ie for database connectivity)
they *would* have been visible to me. This is
*definitely* a security hole!!! I have since
deleted the
no longer works....
-=] Stardrake [=-