COMMAND

    IIS

SYSTEMS AFFECTED

    - Microsoft Internet Information Server 4.0
    - Microsoft Site Server 3.0
    - Microsoft Site Server Commerce Edition 3.0

PROBLEM

    Following is based  on a Security  Bulletin from Microsoft.   If a
    file  on  one  of  the  affected  web server products resides in a
    virtual directory whose name contains a legal file extension,  the
    normal server-side processing  of the file  can be bypassed.   The
    vulnerability would  manifest itself  in different  ways depending
    on the specific file  type requested, the specific  file extension
    in  the  virtual  directory  name,  and  the  permissions that the
    requester has  in the  directory.   In most  cases, an error would
    result and the requested file would  not be served.  In the  worse
    case, the source code of .ASP or other files could be sent to  the
    browser.

    This  vulnerability  would  be  most   likely  to  occur  due   to
    administrator  error,  or  if  a  product  generated  an  affected
    virtual directory name by default.  (Front Page Server  Extensions
    is  one  such  product).  Recommended  security practices militate
    against including  sensitive information  in .ASP  and other files
    that require  server-side processing,  and if  this recommendation
    is  observed,  there  would  be  no sensitive information divulged
    even if this  vulnerability occurred.   In any event,  an affected
    virtual directory  could be  identified during  routine testing of
    the server.  Microsoft acknowledges Adam Hunger for bringing  this
    issue to their attention.

SOLUTION

    Patch availability:

    - Intel:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378
    - Alpha:
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16379