COMMAND

    ASP (active server pages)

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Gavin  Thomson  posted  following  security  issue  about  ASP and
    Virtual Hosting.   Alot of internet  organisations now seem  to be
    offering Virtual Hosting  services on NT  boxes.  As  part of this
    service  ASP  (active  server  pages)   is  being  offered  as   a
    development tool.   Quite often the  code used in  ASP development
    could be considered sensitive (ie uid's and pwd's for DSN's).  But
    by using asp you can do something like the following:

    <%

	    Set fs = server.CreateObject("Scripting.FileSystemObject")
	    Set a =
	    fs.OpenTextFile("c:\inetpub\wwwroot\who-ever\where-ever\testfile.txt",1, FALSE, TRUE )

	    do while not a.AtEndOfStream
		    response.write(a.readline&"<br>"&Chr(13))
	    loop

	    a.Close

    %>

    This code allows  any asp script  to read any  code on the  server
    that  the  web  server  has  read  access to (ie any other virtual
    hosts code).

SOLUTION

    File  access  can  be  limited  to  a  virtual root. Normally, IIS
    requests run as the  user that authenticated, or  as IUSR_machine.
    However,  you  can  have  each  virtual  server run as a different
    identity. For example,  imagine that you're  hosting "www.xxx.com"
    and "www.yyy.com" on  the same server;  and suppose that  the root
    for   XXX   is   "c:\inetpub\wwwroot\xxx"    and   for   YYY    is
    "c:\inetpub\wwwroot\yyy".

    The virtual server  for XXX could  be set to  run as IUSR_XXX  and
    the   one   for   YYY   as   IUSR_YYY;   then   set  the  ACLs  on
    "c:\inetpub\wwwroot\xxx"  so  that  only  IUSR_XXX has access, and
    similarly for YYY.   Of course, this is  a IIS 4.0 feature;  those
    with IIS 3.0 have  problem here.  Perhaps  MS will come up  with a
    workaround for IIS 3.0.