COMMAND

    Microsoft Active Server Pages (ASP)

SYSTEMS AFFECTED

    Win NT

PROBLEM

    A serious  security hole  was found  in Microsoft's  Active Server
    Pages (ASP) by  Juan T. Llibre  <j.llibre@codetel.net.do>. This
    hole  allows  Web  clients  to  download  unprocessed  ASP   files
    potentially exposing  user ids  and passwords.  ASP files  are the
    common fi  le type  used by  Microsoft's IIS  and Active Server to
    perform server-side processing.

    To download  an unprocessed  ASP file,  simply append  a period to
    the  asp  URL.  For  example:   http://www.domain1.com/default.asp
    becomes   http://www.domain1.com/default.asp.   With   the  period
    appendage,  Internet  Information  Server  (IIS)  will  send   the
    unprocessed ASP file to the Web client, wherein the source to  the
    file can be examined at will. If the source includes any  security
    parameter  designed  to  allow  access  to other system processes,
    such as an SQL  database, they will be revealed.

    Paul Leach <paulle@MICROSOFT.COM> forwarded Microsoft's statement.
    "This problem affects any  script-mapped files that are  requested
    from  a  virtual  directory  which  has  both  Read  and   Execute
    permissions set. In  this case, adding  one or more  extra periods
    onto the end  of the URL  will cause the  file to be  displayed in
    the browser instead  of executed on  the server. This  would allow
    clients of your web site to  see any script code or other  content
    in the script source file. This problem affects any  script-mapped
    files - .asp, .idq htx/idc, .pl  etc. - it is not limited  to just
    .asp files."

SOLUTION

    There are three known ways to stop this behavior:

    1. Turn read permissions off of the ASP directory in the  Internet
       Service Manager.  This may  not be  a practical  solution since
       many sites  mix ASP  and HTML  files. If  your site mixes these
       files  together  in  the  same  directories,  you  may  want to
       segregate them immediately.  Now and in the future, treat  your
       ASP files like  any other Web  based executable, and  keep them
       in  separate  directories  wherein  permissions can be adjusted
       accordingly.

    2. Download   this   filter     written   by   Christoph     Wille
       Christoph.Wille@unileoben.ac.at which can be located at

            http://www.ntshop.net/security/tools/sechole.zip
            http://www.genusa.com/asp/patch/sechole.zip

    3. Microsoft  made  hotfix  available.  To  download  the  hotfix,
       connect to:

            ftp://ftp.microsoft.com

       and go to

            /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix.


    Note that the  hotfix depends on  having either Windows  NT Server
    4.0 Service Pack 1a or Service Pak 2 installed. You should  review
    the readme.lst for more information.

    Additionally,  Microsoft  recommends  that  customers store static
    pages and  dynamic script  pages in  different virtual directories
    to ensure highest  levels of security.  It is further  recommended
    to minimize your confidential information in script code.