From: Wanderley J. Abreu Junior [storm@UNIKEY.COM.BR]
Sent: Sunday, July 25, 1999 3:21 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Alert: RDS IIS vulnerability/fix

>   Well Query lets us run queries against an (existing) database.  And we
>know we can embed our pipe-VBA-shells in queries, so Query looks good.
>But this is nothing spectacular.  And there is one catch: the need for an
>existing database.  We need to pass a DSN to the ActiveDataFactory to
>actually run the query on.  The problem with the DSN is that:
>
> 1.  DSNs can require UIDs and passwords

    yes, but actually there's a DSN called advworks that is automatically
configured by RDS Server and don't require password (As you have mencioned
in the third part of this doc).
   And using the method bellow (showcode.asp) you can pick up some DSN UIDs
and passwords without any problems.

> 2.  There's no way to get a list of available DSNs
> (** through RDSServer.DataFactory functions, that
> I'm aware of **)

             You're right. But since Advanced Data Control  packet comes
with some more As-Designed-bug-features like
/msadc/samples/SELECTOR/showcode.asp actually there's a way to retrieve the
ODBC list wich is in  \winnt\odbc.ini.

        IIS 3 also has /scripts/tools and /scripts/samples features and
plus! If you enter some maped script extension like http://server/jerk.idc
it returns to you the exactly directory where the Web page is stored like
   c:\Inetpub\wwwroot\  even if you handled 404 error to another page. Since
NT 4.0 comes with IIS 3 there's a large number of server using this version
yet.