Reported January 8, 2001, by Georgi Guninski
- Microsoft Internet Information Server 5.0
IIS 5.0 might reveal the contents of script files (such as Perl scripts) when particular characters are used within a URL.
The following URL will reveal the contents of the test.pl file. Note the "%3F+.htr" suffix appended to the URL:
In addition, it has been reported that the following variant works to expose script contents:
Microsoft was informed of the problem on January 4, 2000, but the company has not provided a response at this time.
Discovered by Georgi Guninski