COMMAND

    Microsoft Internet Information Server

SYSTEMS AFFECTED

    Win NT 4.0 (server)

PROBLEM

    The following  text is  part of  L0pht Security  Advisory and it's
    author is weld@l0pht.com.  It is  based on ASP attack (see ASP  on
    this page - Security Bugware - for info) and MS patch opened a new
    hole.  L0pht SA are placed on http://www.l0pht.com/advisories.html

    Microsofts IIS  3.0 supports  server side  scripting using "Active
    Server Pages" or .asp files. These files are meant to execute  and
    not be visible  to the user.  These scripts may  contain sensitive
    information  such  as  SQL  Server  passwords.  These files can be
    downloaded and viewed  instead of executed  by replacing '.'  in a
    URL with a '%2e'.  Severity: Users can read the server side script
    in .asp, .ht., .id, .PL files

    This problems  discovered in  IIS 3.0  allowed users  to read  the
    contents of .asp files by appending  a '.' or a series of  '.'s to
    the end of a URL:

        http://www.mycompany.com/default.asp

    becomes

        http://www.mycompany.com/default.asp.

    Microsoft acknowledged the problem and released a hot-fix patch
    to IIS 3.0.  This is available from:

        http://www.microsoft.com/iis/iisnews/hotnews/security.htm

    This hot-fix solved the trailing  '.' problem but opened up  a new
    hole  which  allows  the  same  results  -  viewing  the .asp file
    instead of executing it.

    This is accomplished by replacing the '.' in the filename part  of
    a URL with a '%2e', the hex value for '.':

        http://www.mycompany.com/default.asp

    becomes

        http://www.mycompany.com/default%2easp

    Your browser will prompt  you to save the  file to disk where  you
    can then view the contents of the .asp file.

    Web sites that  have not installed  the Microsoft IIS  3.0 hot-fix
    are not affected by this problem although the trailing '.'  method
    still works to display the contents of the .asp file.

    Interesting thing happend when  MS announced that they  fixed this
    bug.  After that Dick van den Burg tried to reproduced same  thing
    on MS web site but this time failed.  Anyway, imagination said  do
    it this way:

        http://www.microsoft.com/default%2e%41sp.

    and did allow him to retrieve the .asp file.

SOLUTION

    Microsoft has been notified of  this problem.  There is  a hot-fix
    for  this  problem  available  from  Microsoft  Dated  Thu  Feb 27
    14:22:00 1997.   This problem  only exists  in sites  without  the
    hot-fix that  attempted a  fix using  using an  ISAPI filter  that
    failed to  filter out  '%2e' correctly.   Hot-fix can  be obtained
    from:

        ftp://ftp.microsoft.com

    by following path

        /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix/