Snort-alerts/WEB-IIS-view-source-via-translate-header
WEB-IIS view source via translate header
Trigger
Microsoft Internet Information Services (IIS) 5.0 contains scripting engines to support various advanced files types such as .ASP and .HTR files. This permits the execution of server-side processing. IIS determines which scripting engine is appropriate to use depending on the file extension. If an attacker crafts a URL request ending in 'Translate: f' and followed by a slash '/', IIS fails to send the file to the appropriate scripting engine for processing. Instead, it returns the source code of the referenced file to the browser.
Affected systems
Microsoft IIS 5.0
Impact
Intelligence gathering. This attack may permit disclosure of the source code of files not normally available for viewing.
False positives
Some Microsoft applications make use of the 'Translate: f' header and may cause this rule to generate an event. These include applications that use WebDAV for publishing content on a webserver such as Microsoft Outlook Web Access (OWA).
Scenario
An attacker can craft a URL to include the 'Translate: f' and followed by a '/' to disclose source code on the vulnerable server.
Example
Thank you for your comprehension.
Corrective actions
Apply the appropriate vendor supplied patch.