IIS/NT bug plagues developers

A huge security bug in Microsoft's Web server, Internet Information Server (IIS), was revealed this week and the company has already posted a fix. The bug affects IIS 3.0 and 4.0, and there is a separate fix for each server. Basically, the bug allows users browsing an IIS site to read the source code for ASP files--IIS server-side files that contain scripting code that can contain system passwords--by appending the string "::$DATA" to the end of a URL. For example, to view the code contained in the file found at http://www.myserver.com/test.asp (not a real address), you could type:
  http://www.myserver.com/test.asp::$DATA

The bug also affects other file type, including SHTML and Perl files.

To counter this problem, the Microsoft Product Security Response Team has produced a hot-fix for IIS 4.0. Both hot-fixes can be found on the Microsoft FTP site:

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish