COMMAND

    ISM.DLL

SYSTEMS AFFECTED

    IIS 4, 5

PROBLEM

    Following is based on  ISBASE Security Advisory.   Isbase security
    team has found a security flaw in Microsoft  IIS 4.0/5.0. Attacker
    can obtain the contents of certain types of files  (.asp,.asa,.ini
    ...)  in  Microsoft  Internet  Information  Server  4.0  or   5.0.
    Normally attacker  should not  be able  to access  the contents of
    those files.  Attacker could get some sensitive data contained  in
    those files.

    By requesting an existing filename (for example, global.asa)  with
    an  appendage  of  "+"  and  extention  of  ".htr"  from Microsoft
    Internet Information Server 4.0/5.0 , IIS will be tricked to  call
    ISM.DLL ISAPI application to deal with this request.  When "+"  is
    found in the filename, ISM.DLL will truncate the "+.htr" and  open
    the target file(global.asa). If the target file is not ".htr" file
    part of target file source  code will be exposed to  the attacker.
    For example, attacker can retrieve the content of global.asa which
    often contains  some sensitive  information such  as SQL  server's
    username and password.

    Put this URL in your browser and view the source code of  returned
    page:

        http://www.victim.com/global.asa+.htr

SOLUTION

    If you don't  need HTR functionality  , remove the  script mapping
    for HTR.  Patches are available at:

        IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709
        IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708