Server Name Spoofing in IIS Could Lead to Code Exposure

Reported August 22, 2005 by Inge Henriksen


Internet Information Server 5.x and 6.0


Inge Henriksen reported a flaw in Microsoft IIS that might lead to the exposure of application code that runs on the server. An attacker could enter a fully qualified URL at a Telnet client to connect to the Web server's listening port, and IIS might consider the connection as coming from the local host instead of a remote client.

The tactic works because of the way IIS handles requests. If a URL has the prefix http://localhost, IIS bypasses name resolution and assumes the request is from the local Web server console. The tecnhique doesn't work with a standard Web browser because browsers resolve localhost as (i.e., the local client machine).

Application code is exposed when IIS needs to use the default "Error 500" Web page template. This template relies on the Web request's SERVER_NAME variable to determine what information to display. If the variable contains "localhost", the templatewill display application source code that wouldn't otherwise be displayed to a remote user.


Microsoft is aware of the problem however no response has been issued from the company as of this writing.