If you want to hide code or programs, most will advice you that, given the choice of server side or client side scripting, you should always choose server side, because it hydes your code from prying eyes. Well, this is not always so.
Microsoft IIS has a nice bug: if you enter the name of a script-based page into your browser and put a full stop at the end of the URL, IIS returns the raw ASP page, rather than the script output.
This exploit was published some months ago and Microsoft provided a fix for it (which as you know does not mean anything at all, since the rate of internet bug-fixing is well below 45% :-) and now another new exploit has been found: under certain circumstances you can get hold of any ASP script, or even grab copies of executables sitting on your target server.
The exploit is based on the fact that the native Windows NT file system (NTFS)
supports multiple data streams within a single file. Here the MS 'online'
Multiple Data Streams
NTFS supports multiple data streams. The stream name identifies
a new data attribute on the file. Streams have separate opportunistic
locks, file locks, allocation sizes, and file sizes, but sharing is per file.
The following is an example of an alternate stream:
This feature permits related data to be managed as a single unit.
For example, Macintosh computers use this type of structure to
manage resource and data forks. Or, a company might create a program
to keep a list of changes to the file in an alternate stream, thus
keeping archive information with the current version of the file.
As another example, a library of files might exist where the files
are defined as alternate streams, as in the following example:
Suppose a "smart" compiler creates a file structure like the following example:
Note Because NTFS is not supported on floppy disks, when you copy an NTFS
file to a floppy disk, data streams and other attributes not supported by
FAT are lost.
The really important data stream is called $Data, the stream that stores the actual
content of the file. If you type in the UTL of a script you are interested in,
and you add ::$DATA to the end of it, for example
Obviously this can only happen if the files are being stored on an NTFS volume, so anyone running web server off a FAT volume will not be affected by this exploit, but there are so many exploit out there for FAT volumes, that to get those scripts is as easy as shooting the red cross.
Note that this regards ASP, PL, IDC, SHTML and any other script or executable file types!
Never forget that root is usually
\inetpub\wwwroot in M$ Internet Information Server,
\home\httpd in Apache
and that lazy sysads (or all sysads that have had enough with all bugs) tend to stuff most of the things inside root.
Another interesting example (for instance perusing bank accounts), is that if you find somewhere a 'forgotten' Access database file in some remore subdirectory of your target you just need to point your browser to this file (if you have Access installed on your system) in order to see the whole database. It's read-only, of course, but hey: info is info!