! [ADVISORY] Major Security Hole in MS ASP

[mark () NTSHOP NET (Mark Joseph Edwards)]

                MICROSOFT IIS AND ACTIVE SERVER ADVISORY
                 Security Hole in ASP Discovered in Microsoft ASP
                                February 20, 1997

DESCRIPTION
A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan T. Llibre <j.llibre () codetel net 
do>. This hole allows Web clients to download unprocessed ASP files potentially exposing user ids and passwords. ASP 
files are the common file type used by Microsoft's IIS and Active Server to perform server-side processing.

HOW IT WORKS
To download an unprocessed ASP file, simply append a period to the asp URL. For example: 
http://www.domain1.com/default.asp becomes http://www.domain1.com/default.asp. With the period appendage, Internet 
Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be 
examined at will. If the source includes any security parameter designed to allow access to other system processes, 
such as an SQL  database, they will be revealed.

DEFENSE
There are two known ways to stop this behavior:

1.Turn read permissions off of the ASP directory in the Internet Service Manager. This may not be a practical solution 
since many sites mix ASP and HTML files. If your site mixes these files together in the same directories, you may want 
to segregate them immediately. Now and in the future, treat your ASP files like any other Web based executable, and 
keep them in separate directories wherein permissions can be adjusted accordingly.

2.Download this filter written by Christoph Wille Christoph.Wille () unileoben ac at which can be located at 
http://www.ntshop.net/security/tools/sechole.zip or from http://www.genusa.com/asp/patch/sechole.zip

END OF ADVISORY