Server Pages Vulnerable to Code Exposure
Reported July 1, 98 by Paul Ashton on NTBugTraq SYSTEMS AFFECTED
A problem was discovered that affects Microsoft Internet Information Server (IIS). Web clients can read the contents of any NTFS file in an IIS directory to which they have been granted "read access", including Active Server Pages scripts. The main data stream, which stores the primary content, has an attribute called $DATA. Accessing this NTFS stream via IIS from a browser may display the contents of a file that is normally set to be acted upon by an Application Mapping.
The problem does not allow the user to modify the script or to execute arbitrary code.
According to Microsoft, for the problem to occur:
Microsoft has produced a hotfix for Microsoft Internet Information Server versions 3.0 and 4.0. Additionally, some administrative workarounds are included in the document located at:
People using IIS versions 3.0 and 4.0 should apply the hotfix -- users of previous versions of IIS should consider upgrading to a more recent version (3.0 or 4.0). The following hotfixes are available from the Microsoft FTP site:
User who cannot apply the hot fix can remove "read" access for all .ASP files for non-admin user accounts. Additionally, the Application Maps can be modified to include ".ASP::$DATA"
More details on this workaround are available in Microsoft"s Knowledge Base article Q188806
To learn more about new NT security concerns, subscribe to NTSD.Credit:
Reported by: Paul Ashton on NTBugTraq
Posted here at NTSecurity.Net July 10, 1998