Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP

[paulle () MICROSOFT COM (Paul Leach)]

> Microsoft is aware of this problem and working on a hotfix now. As
> soon as the fix is available, it will be posted to our ftp site, and
> we will reply to this mail with details on how to download and apply
> the fix.
More information:

> This problem affects any script-mapped files that are requested from a
> virtual directory which has both Read and Execute permissions set. In
> this case, adding one or more extra periods onto the end of the URL
> will cause the file to be displayed in the browser instead of executed
> on the server. This would allow clients of your web site to see any
> script code or other content in the script source file. This problem
> affects any script-mapped files -- asp, htx/idc, etc. -- it is not
> limited to just .asp files.
>
> Until we have the fix ready, if you have any sensitive content in your
> script files, the only precaution that we know prevents this problem
> is to turn off virtual directory Read permissions on directories
> containing .asp files. Note: this will make other files (.htm, .gif)
> in the same directory inaccessible as well, so it may necessitate some
> content restructuring. Third parties on this and other mailing lists
> have suggested other solutions, but we have not tested them.
>
> We will provide a hotfix for this problem as soon as possible.
>
>
>
> ----------
> From:         Mark Joseph Edwards[SMTP:mark () ntshop net]
> Sent:         Thursday, February 20, 1997 9:39 AM
> To:   'bugtraq () netspace org'
> Cc:   'ntbugtraq () rc on ca'; 'ntsecurity () iss net'
> Subject:      [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
>
>
>               MICROSOFT IIS AND ACTIVE SERVER ADVISORY
>                Security Hole in ASP Discovered in Microsoft ASP
>                               February 20, 1997
>
> DESCRIPTION
> A serious security hole was found in Microsoft's Active Server Pages
> (ASP) by Juan T. Llibre <j.llibre () codetel net do>. This hole allows
> Web clients to download unprocessed ASP files potentially exposing
> user ids and passwords. ASP files are the common file type used by
> Microsoft's IIS and Active Server to perform server-side processing.
>
> HOW IT WORKS
> To download an unprocessed ASP file, simply append a period to the asp
> URL. For example: http://www.domain1.com/default.asp becomes
> http://www.domain1.com/default.asp. With the period appendage,
> Internet Information Server (IIS) will send the unprocessed ASP file
> to the Web client, wherein the source to the file can be examined at
> will. If the source includes any security parameter designed to allow
> access to other system processes, such as an SQL  database, they will
> be revealed.
>
> DEFENSE
> There are two known ways to stop this behavior:
>
> 1.Turn read permissions off of the ASP directory in the Internet
> Service Manager. This may not be a practical solution since many sites
> mix ASP and HTML files. If your site mixes these files together in the
> same directories, you may want to segregate them immediately. Now and
> in the future, treat your ASP files like any other Web based
> executable, and keep them in separate directories wherein permissions
> can be adjusted accordingly.
>
> 2.Download this filter written by Christoph Wille
> Christoph.Wille () unileoben ac at which can be located at
> http://www.ntshop.net/security/tools/sechole.zip or from
> http://www.genusa.com/asp/patch/sechole.zip
>
> END OF ADVISORY