Bugtraq mailing list archives
Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
From: paulle () MICROSOFT COM (Paul Leach)
Date: Thu, 20 Feb 1997 13:51:04 -0800
Microsoft is aware of this problem and working on a hotfix now. As soon as the fix is available, it will be posted to our ftp site, and we will reply to this mail with details on how to download and apply the fix.
More information:
This problem affects any script-mapped files that are requested from a virtual directory which has both Read and Execute permissions set. In this case, adding one or more extra periods onto the end of the URL will cause the file to be displayed in the browser instead of executed on the server. This would allow clients of your web site to see any script code or other content in the script source file. This problem affects any script-mapped files -- asp, htx/idc, etc. -- it is not limited to just .asp files. Until we have the fix ready, if you have any sensitive content in your script files, the only precaution that we know prevents this problem is to turn off virtual directory Read permissions on directories containing .asp files. Note: this will make other files (.htm, .gif) in the same directory inaccessible as well, so it may necessitate some content restructuring. Third parties on this and other mailing lists have suggested other solutions, but we have not tested them. We will provide a hotfix for this problem as soon as possible. ---------- From: Mark Joseph Edwards[SMTP:mark () ntshop net] Sent: Thursday, February 20, 1997 9:39 AM To: 'bugtraq () netspace org' Cc: 'ntbugtraq () rc on ca'; 'ntsecurity () iss net' Subject: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP MICROSOFT IIS AND ACTIVE SERVER ADVISORY Security Hole in ASP Discovered in Microsoft ASP February 20, 1997 DESCRIPTION A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan T. Llibre <j.llibre () codetel net do>. This hole allows Web clients to download unprocessed ASP files potentially exposing user ids and passwords. ASP files are the common file type used by Microsoft's IIS and Active Server to perform server-side processing. HOW IT WORKS To download an unprocessed ASP file, simply append a period to the asp URL. For example: http://www.domain1.com/default.asp becomes http://www.domain1.com/default.asp. With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed. DEFENSE There are two known ways to stop this behavior: 1.Turn read permissions off of the ASP directory in the Internet Service Manager. This may not be a practical solution since many sites mix ASP and HTML files. If your site mixes these files together in the same directories, you may want to segregate them immediately. Now and in the future, treat your ASP files like any other Web based executable, and keep them in separate directories wherein permissions can be adjusted accordingly. 2.Download this filter written by Christoph Wille Christoph.Wille () unileoben ac at which can be located at http://www.ntshop.net/security/tools/sechole.zip or from http://www.genusa.com/asp/patch/sechole.zip END OF ADVISORY
Current thread:
- Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Paul Leach (Feb 20)
- <Possible follow-ups>
- Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP Mitja Kolsek (Feb 25)