COMMAND

    IIS

SYSTEMS AFFECTED

    Microsoft Internet Information Server 5.0

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-058).
    If  an  IIS  server  receives  a  file  request  that  contains  a
    specialized  header  as   well  as  one   of  several   particular
    characters at  the end,  the expected  ISAPI extension  processing
    may not occur.   The result is  that the source  code of the  file
    would be sent to the browser.

    It  is  important  to  note  that  normal security recommendations
    militate strongly against ever including sensitive information  in
    .ASP files and, if these recommendations have been followed, there
    would be no sensitive information to compromise.  The  specialized
    header at  issue here  cannot be  created via  a standard Internet
    browser, so the request would  need to be created by  an alternate
    method.

SOLUTION

    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769

    This vulnerability is eliminated by installing Windows 2000 SP1:

        http://www.microsoft.com/windows2000/downloads/recommended/sp1/

    MS recommend that customers apply SP1 as the preferred option  for
    eliminating this  vulnerability, as  it has  been fully regression
    tested and includes fixes for additional issues.