COMMAND
	IIS sample script directory traversal vulnerability
SYSTEMS AFFECTED
	IIS 5.0
PROBLEM
	The IIS developers actually put some thought into securing  this  sample
	script. Unfortunately for them and their user  base,  they  didn't  take
	into account the Unicode character set when checking the path passed  to
	the script.
	The function  fValidPath  in  CodeBrws.asp  has  the  following  comment
	placed above it:
	        
	        REM **************************************
	        REM  intended behavior:
	        REM allow access to only .asp, .htm, .html, .inc files
	        REM in some directory starting from /IISSAMPLES
	        REM and without .. in the path
	        REM **************************************      
	
	The fValidPath function first  checks  to  see  if  the  base  directory
	starts with "/IISSAMPLES", then verifies that  the  last  characters  of
	the request are one of the allowed extensions,  and  finally  checks  to
	see if the ".." sequence is anywhere in the string.
	The problem is that ".." can be  represented  a  number  of  other  ways
	using  the  Unicode  character   set.   For   instance,   the   sequence
	%c0%ae%c0%ae will be decoded as two periods by  IIS,  but  will  not  be
	caught by the InStr(1,strPath,"..",1) code in  the  ASP  script.  So  to
	create a request which  passes  the  input  filters  but  retrieves  the
	source of default.asp...
	         
	/iissamples/sdk/asp/docs/CodeBrws.asp?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp
	
SOLUTION
	Remove the /IISSamples virtual directory  using  the  Internet  Services
	Manager.  If  for  some  reason  this  is  not  possible,  removing  the
	following ASP script will fix the problem (Assuming  you  installed  IIS
	in c:\inetpub) :
	    
	c:\inetpub\iissamples\sdk\asp\docs\CodeBrws.asp