Watch out for “verify that file exists”

Just wanted to share one thing I noticed at work recently.

When you add a wildcard application map in IIS 5/6, there’s a checkbox called “Verify that file exists”. What it does is that it checks if the file called in URI actually exists on the file system before invoking the specified executable. If the file doesn’t exist, it will just throw HTTP 404.

This causes two issues:
1/ If you have an access control extension mapped like that (e.g. Siteminder), it will be possible to map your website structure without logging in – attacker can just iterate through all file names and find out which ones are there.
2/ If you have additional ISAPI filters mapped that reply to requests for files that are not on the hard drive, they will not be invoked. The first application mapping will reply to the request with HTTP 404. I had this case with Trace.axd file, which is served dynamically by ASP.NET. With the “Verify that file exists”, the request pipe was broken and it never made to ASP.NET

1 comment

  1. ng says:

    remote five :)

Leave a Reply

Your email address will not be published. Required fields are marked *