Microsoft confirmed yesterday that its latest Web server, Internet Information Server 3.0, contains a security hole that could expose database passwords and other sensitive information to a person viewing the Web site. The glitch, found in IIS’ Active Server Pages (ASP) and the non-IIS HTX/IDC database connection feature, causes the contents of an ASP file to display in the browser when a period “.” is typed after the URL. Normally, the script in an ASP file will not display if the user tries to view the source, but this method allows even an unsophisticated user to gain access to the server-side scripts which can contain sensitive information like database passwords.
Microsoft will post a fix for this bug sometime this weekend or early next week.
Want more information?
Internet Information Server Security Issue