COMMAND

    ASP

SYSTEMS AFFECTED

    Win

PROBLEM

    Pietro Di Mosmanza found following.  In ASP you have some built-in
    objects,  one  of  which  is  the  Request  Object.   This  object
    retrieves the values that the client browser passed to the  server
    during a HTTP request.

        http://www.myserver.com/default.asp?variable=value
        Request("variable") = value

    However, when the value exists of a percentage sign (which can  be
    followed by 1 arbitrary character), Request("variable") holds some
    kind of path which can reveil some information about the  internal
    structure of  the website.   This can  be a  problem when  such  a
    variable is printed directly into  the HTML, or when the  VBscript
    can't deal with bogus input.

        http://www.myserver.com/default.asp?variable=%Request("variable") = <bogus_string>

    On some  sites it  is possible  to see  which one  of the  virtual
    sites  on  the  same  server  it  is,  you'll  see  something like
    "˙LM/W3SVC/1/Root/test".  Look for example on Microsoft's site

        http://search.microsoft.com/us/SearchMS.asp?so=RECCNT&boolean=PHRASE&intCat=0&intCat=1&intCat=2&intCat=3&intCat=4&intCat=5&intCat=6&intCat=7&intCat=8&intCat=9&p=1&nq=NEW&LOC=&qu=%

    Tested with ASP version 4.02.0727, IIS 4.0, NT 4.0 sp 4.

SOLUTION

    Nothing yet.