COMMAND

    IIS ("Double Byte Code Page")

SYSTEMS AFFECTED

    WinNT with  IIS 3.0  and 4.0  (if run  on a  server whose  default
    language is set to Chinese, Korean, or Japanese)

PROBLEM

    Following is based on the MS  Security Bulletin.  When IIS is  run
    on a  machine on  which a  double-byte character  set code page is
    used (i.e., the  default language on the server is set to Chinese,
    Japanese, or Korean), and a  specific URL construction is used  to
    request  a  file  in  a  virtual  directory,  normal   server-side
    processing is  bypassed. As a result, the file is simply delivered
    as text to the  browser, thereby allowing the   source code to  be
    viewed.

    How do  you know  you might  be affected  by this?   If you  got a
    version of  NT for  any language  other than  Chinese, Korean,  or
    Japanese,  then  you  would  had  to  have installed the "Far East
    Language Pack" to make these languages available on your  machine.
    Then, assuming you did install  this pack, you would have  to have
    gone  into  Control  Panel/Regional  Settings/Input  Locale,   and
    actually chosen  one of  them as  your default  language.   If you
    haven't done this, be not afraid.   The other way is if you got  a
    Chinese, Korean, or Japanese version of NT and have left the Input
    Locale  to  that  language  (or  have  chosen  one  of  the  other
    languages).  If, however, you have chose, e.g. EN (English),  then
    you're not susceptible.  Of course  you have to be running IIS  on
    this box.

    This vulnerability  could allow  a web  site viewer  to obtain the
    source code for  .asp and similar  files if   the server's default
    language (Input  Locale) is  set to  Chinese, Japanese  or Korean.
    How this works  is as follows.   IIS checks the  extension of  the
    requested file  to see  if it  needs to  do any  processing before
    delivering the information.  If the requested extension is not  on
    it's  list,  it  then  makes  any language-based calculations, and
    delivers the file. If a single byte is appended to the end of  the
    URL when IIS to set to  use one of the double-byte language  packs
    (Chinese, Japanese, or Korean)  the language module will  strip it
    as invalid, then look for the file.  Since the new URL now  points
    to a  valid filename,  and IIS  has already  determined that  this
    transaction requires no processing,  the file is simply  delivered
    as is, exposing the source code.

SOLUTION

    Microsoft has identifed  and corrected a  regression error in  the
    IIS 4.0 version of  the previously-released patch for  the "Double
    Byte  Code  Page"  vulnerability.   The  corrected  patch has been
    re-released, and an updated security bulletin is available at:

        - English: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/fesrc-fix
        - Simplified Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/fesrc-fix
        - Traditional Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/fesrc-fix
        - Japanese: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/jpn/security/fesrc-fix
        - Korean: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/fesrc-fix