[1571] in WWW Security List Archive
IIS - .CMD/.BAT Patch Provides Security Enhancements to IIS
daemon@ATHENA.MIT.EDU (BackOffice-PostMaster)
Sat Mar 2 03:42:54 1996
From: BackOffice-PostMaster <backoffice-postmaster@canon.bhs.com>
To: "'webserver-nt@delta.process.com'" <webserver-nt@delta.process.com>,
"'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>,
"'nt-announce@metric.com'" <nt-announce@metric.com>,
"'iwntug@iwntug.org'" <iwntug@iwntug.org>
Date: Fri, 1 Mar 1996 21:44:18 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Internet Information Server (IIS)
.CMD/.BAT Patch Provides Security Enhancements to IIS
On Sunday, 2/25, Microsoft was alerted to a newsgroup posting regarding
a security exposure, the ".CMD/.BAT Bug", whereby a complicated string
of command line commands could be sent to IIS via a web browser and
executed on the server. Those with malicious intent could use this
capability to tamper with an IIS installation (it is highly unlikely
that anything could happen accidently as a result of this bug,
however).
In response, we immediately began working on a fix which provides a
permanent solution to this problem. It will be available by the end of
the day on our web site (http://www.microsoft.com/infoserv). It is
important to note that you should always follow the safety guidelines
we outline in the IIS Installation Guide regarding the securing of IIS
against intruders in order to minimize exposure to security problems.
Regardless of whether or not you have followed these instructions, we
recommend you download and install the .CMD/.BAT Patch (108K) on all
IIS installations.
Note that any copy of IIS downloaded from our online distribution sites
after 3/5 will contain this fix.
It turns out that this problem is not unique to IIS...similar problems
exist with other NT web servers. As a result, the Microsoft Developer
Relations group is in the process of notifying these vendors about the
problem and providing guidance so that they can address it where
appropriate.
Thanks for your continued support of the Microsoft Internet Information
Server.
The Internet Server Team
