COMMAND

    Site Server

SYSTEMS AFFECTED

    Site Server 3.0

PROBLEM

    Andrey Kruchkov found  following.  It  was tested on  tested on MS
    Site  Server  3.0  Commerce  Edition.   Site  Server  allows   the
    installation  of   an  AdSamples   directory,  which   serves   to
    demonstrate the capabilities of the Ad Server component.  If  this
    directory  is  installed  and  left  open  to  the  public without
    limiting  directory  permissions,  a   user  can  obtain  a   site
    configuration file (SITE.CSC) that contains sensitive  information
    pertaining to an SQL database.   This information could contain  a
    DSN, as well as a a username and password used by the Ad Server to
    access the SQL server database.   For a URL that demonstrates  the
    problem, please visit

        http://www.ntsecurity.net/scripts/loader.asp?iD=/security/siteserver-2.htm

SOLUTION

    Remove the "AdSamples" virtual directory from the DEFAULT root Web
    site,  or  change   security  permissions  for   this  folder   to
    sufficiently restrict access.  If you must provide loose access to
    this virtual directory for some strange reason, then you should at
    least adjust  the security  permissions for  the SITE.CSC  file so
    that it's not available for viewing. Also keep in mind that  there
    may  be  numerous  other  SITE.CSC  files  under  your Site Server
    installation, all of which need to be secured.

    This is probably a great time to remind people once again to NEVER
    install sample content on production servers and to NEVER use  the
    built-in   IIS   DEFAULT   Web   site   without  first  thoroughly
    investigating the implications of doing so.