IIS DoS and .ASP Code Exposure

IIS DoS and .ASP Code Exposure
Reported July 14 by Peter Grundl and Zuo Lei

VERSIONS AFFECTED

Internet Information Server 4.0 and 5.0

DESCRIPTION

Peter Grundl discovered that a script originally included with IIS 3.0 can cause denial of service attacks against IIS 4.0 and 5.0. The script is preserved on the system when an upgrade to IIS 4.0 or 5.0 is performed, even though the script is of no use on those versions of the operation system.

Zuo Lei discovered a new variation of the older .HTR code exposure problem, where fragments of .ASP and other files could potentially be retrieved from the server.

VENDOR RESPONSE

Microsoft issued FAQ# FQ00-044 regarding this problem along with a patch and Support Online article Q267559 and Q267560.

Ptches are avauilable at:

IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709

IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708

Microsoft"s bulletin states

"Note: The patch should only be installed by customers who have a business-critical need for the .HTR functionality. Microsoft recommends that all other customers disable the .HTR functionality altogether, as discussed in the FAQ.

Note: Customers who choose to install the patch should also strengthen the permissions on the /scripts/iisadmin folder in each web site on the server, and ensure that only administrators can access it."

CREDIT
Discovered by Peter Grundl and Zuo Lei

Comments

Plain text