COMMAND

    asp

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Ivan Hamilton found  following.  When  two virtual servers  on IIS
    include the same  physical directory as  a virtual directory,  ASP
    shares the cached version  of the files.   This would seem like  a
    good idea until you realise a shared ASP application in a  virtual
    directory, includes a file in  another part of the site  tree, and
    that  the  included  file  would  be  different depending on which
    virtual server it was served  from.  For example... You  have Site
    A & Site B.  You  have a web application in a  separate directory,
    and it knows to include into the ASP application file a  constants
    file from another directory. This could be functions or a constant
    piece of text containing  confidential information.  In  our case,
    Site A  is username/password  protected, since  the included  file
    contains extremely confidential information.

        <!--#include virtual="/inc/incConstants.asp"-->
        <html>
        <head>
         <title>Virtual Application</title>
        </head>
        <body>
        Virtual App<BR>
        Site: <%= Request.ServerVariables ("HTTP_HOST")  %><BR>
        SiteName: <%= siteName %><BR>
        </body>
        </html>

    A user first  hits the secure  site and logs  in.  He  uses an ASP
    application, which uses constants  particular to the secure  site.
    ASP parses the  file, reads in  the include files,  and caches the
    whole result (Ivan  assumes the key  to the cached  version is the
    physical path of the file).  The secure user then stops usage  and
    disappears.  A public user  comes along to the public  site, never
    logs in, and  uses the same  application (different include  files
    should  apply).   But  is  served  the  cached  ASP  version, with
    sensitive information that should have only been accessible with a
    username/password pair.  BOOM...

    Setup a "default.asp" file  which is essentially identical  in all
    locations.  (Include the same inc file)

        +--cache
           +--application
           +--SiteA
           |  \--inc
           \--SiteB
              \--inc

        http://SiteA/default.asp
        Virtual App
        Site: localhost:90
        SiteName: SiteA

        http://SiteA/application/default.asp

        Virtual App
        Site: localhost:90
        SiteName: SiteA (This assumes you hit SiteA first)

        http://SiteB/default.asp
        Virtual App
        Site: localhost:91
        SiteName: SiteB

        http://SiteB/application/default.asp

        Virtual App
        Site: localhost:91
        SiteName: SiteA (This assumes you hit SiteA first)

SOLUTION

    A hotfix is available.  See Q197003:

        http://support.microsoft.com/support/kb/articles/q197/0/03.asp?FR=0

    To work around this problem, run the shared virtual directory  out
    of process  for all  the Web  Sites.   This can  be done using the
    following steps for each Web Site:

       1. Right-click on the virtual directory and select Properties,
       2. Select the Home Directory Property Page,
       3. Check Run in Separate Memory Space (isolated process),
       4. Stop and the restart the Web Sites.