COMMAND

    IIS, SiteServer

SYSTEMS AFFECTED

    Win NT with Microsoft Site Server 3.0 (included with Site Server 3
    Commerce Edition,  Microsoft Commercial  Internet System  2.0, and
    Microsoft BackOffice Server 4.0 and 4.5) and IIS 4.0

PROBLEM

    Following was found by Weld Pond and distributed as L0pht Security
    Advisory.  Internet Information Server (IIS) 4.0 ships with a  set
    of sample files to help  web developers learn about Active  Server
    Pages (ASP).  One of these sample files, showcode.asp, is designed
    to  view  the  source  code  of  the sample applications via a web
    browser.  The showcode.asp file does inadequate security  checking
    and allows anyone with a web  browser to view the contents of  any
    text file on the web server.  This includes files that are outside
    of the document root of the web server.

    Many  ecommerce  web  servers  store  transaction  logs  and other
    customer  information  such  as  credit  card  numbers,   shipping
    addresses,  and  purchase  information  in  text  files on the web
    server.  This is the type of data that could be accessed with this
    vulnerability.   The L0pht  thanks Parcens  for doing  the initial
    research on this problem.

    The showcode.asp file is installed by default at the URL:

        http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp

    It takes 1 argument  in the URL, which  is the file to  view.  The
    format of this argument is:

        source=/path/filename

    So to view  the contents of  the showcode.asp file  itself the URL
    would be:

        http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp

    This looks like a fairly dangerous  sample file.  It can view  the
    contents of files on the system.  The author of the ASP file added
    a security  check to  only allow  the viewing  of the sample files
    which were in the '/msadc'  directory on the system.   The problem
    is the security check does not test for the '..' characters within
    the URL.  The only checking done is if the URL contains the string
    '/msadc/'.   This allows  URLs to  be created  that view, not only
    files outside of the samples directory, but files anywhere on  the
    entire file system that the web server's document root is on.  For
    example, a URL that will  view the contents of the  boot.ini file,
    which is in the root directory of an NT system is:

        http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini

    This  URL  requires  that  IIS  4.0  was  installed in its default
    location.

    WebTrends  Corporation,  through   their  "SecureTrends   Security
    Advisory" mechanism,  released 3  exploits of  example code,  2 in
    IIS 4.0 and 1 in Site  Server 3.0.  WebTrends were also  reporting
    the showcode.asp exploit,  as well as  an exploit in  codebrws.asp
    (both  from  IIS   4.0).   They  also   reported  an  exploit   in
    viewcode.asp  (from  Site  Server  3.0  Commerce  Edition).  All 3
    reports result in the same vulnerability, the ability to do  "../"
    up the directory tree and read files.

SOLUTION

    There's a couple  of kb's on  this kind of  thing.  Check  out for
    Q184717 - 'AspEnableParentPaths MetaBase Property Should Be Set To
    False' as well as  one on removing samples.   Also note, that  the
    exair sample (which is NOT installed by default) also has showcode
    functionality.  For production servers, sample files should  never
    be  installed  so  delete  the  entire  /msadc/samples  directory.
    Customers  should  take  the  following  steps  to  eliminate  the
    vulnerability on their web servers:

    - Unless the  affected file viewers  are specifically required  on
      the  web  site,  they  should  be  removed.   The following file
      viewers are  affected: ViewCode.asp,  ShowCode.asp, CodeBrws.asp
      and Winmsdp.exe.   Depending on  the specific  installation, not
      all of these files may be present on a server.  Likewise,  there
      may be multiple copies of  some files, so customers should  do a
      full search of their servers to locate all copies.
    - In   accordance  with   standard  security   guidelines,    file
      permissions  should  always  be  set  to  enable web visitors to
      access only the files they need, and no others.  Moreover, files
      that  are  needed  by  web  visitors  should  provide  the least
      privilege needed; for example,  files that web visitors  need to
      be able to read but not write should be set to read-only.
    - As  a general  rule, sample  files and  vroots should  always be
      deleted from a web server  prior to putting it into  production.
      If they are  needed, file access  permissions should be  used to
      regulate access to them as appropriate.

    Microsoft highly recommends that customers evaluate the degree  of
    risk that this vulnerability  poses to their systems and determine
    whether to download and install the patch. The patch can be  found
    at:

    - Internet Information Server:
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
    - Site Server:
        ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/

    Microsoft  has  provided  a  checklist  that  customers can use to
    ensure that  their web  servers have  been properly  secured. This
    checklist is available at:

        http://www.microsoft.com/security/products/iis/checklist.asp