COMMAND

    IIS (see below)

SYSTEMS AFFECTED

    - Microsoft Internet Information Server 4.0 and 5.0
    - Microsoft Proxy Server 2.0
    - Microsoft Site Server and Site Server, Commerce Edition 3.0
    - Microsoft Commercial Internet System 2.0 and 2.5

PROBLEM

    Following is based on a Security Bulletin from the Microsoft.   If
    a virtual directory  on an IIS  server is mapped  to a UNC  share,
    and a request for a file in the directory contains one of  several
    particular characters  at the  end, the  expected ISAPI  extension
    processing may not occur.  The result is that the  source code  of
    the file would be sent to the browser.

    There  are  significant  restrictions  that  would  increase   the
    difficulty of exploiting this vulnerability:

    - By  design,  virtual  directories  hide  the actual location  of
      files.  Under most circumstances,  there would be no way  for an
      attacker to determine which files on a server actually reside on
      a UNC share.
    - Many browsers will "correct" requests that contain the  trailing
      characters at issue here,  by either removing the  characters or
      changing them.
    - If recommended security  practices are followed, .ASP  and other
      files that require server-side  processing will not contain  any
      sensitive information to compromise.

    This was originally found by Adam Coyne.

    For those of you interested in the problem, making a request for a
    file with a trailing '\' from a virtual directory hosted on a  UNC
    share will cause the source to be given.  So, for example:

        Virtual directory: /test/ -> \\some_server\share\
        There exists \\some_server\share\test.asp

    Now a simple request  such as "GET /test/test.asp\  HTTP/1.0" will
    yeild the source of test.asp.

SOLUTION

    Patch availability:

    - Internet Information Server 4.0
      Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=18900
      Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=18901
    - Internet Information Server 5.0
      http://www.microsoft.com/downloads/release.asp?ReleaseID=19982

    NOTE: Proxy Server, Site Server, Site Server Commerce Edition  and
    Microsoft  Commercial  Internet  System  run  atop IIS.  Customers
    using these products  should apply the  patch appropriate for  the
    version of IIS they are running.