[4080] in bugtraq
Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
daemon@ATHENA.MIT.EDU (Paul Leach)
Thu Feb 20 21:19:48 1997
Date: Thu, 20 Feb 1997 13:51:04 -0800
Reply-To: Paul Leach <paulle@MICROSOFT.COM>
From: Paul Leach <paulle@MICROSOFT.COM>
X-To: Mark Joseph Edwards <mark@ntshop.net>
To: BUGTRAQ@NETSPACE.ORG
> Microsoft is aware of this problem and working on a hotfix now. As
> soon as the fix is available, it will be posted to our ftp site, and
> we will reply to this mail with details on how to download and apply
> the fix.
>
More information:
> This problem affects any script-mapped files that are requested from a
> virtual directory which has both Read and Execute permissions set. In
> this case, adding one or more extra periods onto the end of the URL
> will cause the file to be displayed in the browser instead of executed
> on the server. This would allow clients of your web site to see any
> script code or other content in the script source file. This problem
> affects any script-mapped files -- asp, htx/idc, etc. -- it is not
> limited to just .asp files.
>
> Until we have the fix ready, if you have any sensitive content in your
> script files, the only precaution that we know prevents this problem
> is to turn off virtual directory Read permissions on directories
> containing .asp files. Note: this will make other files (.htm, .gif)
> in the same directory inaccessible as well, so it may necessitate some
> content restructuring. Third parties on this and other mailing lists
> have suggested other solutions, but we have not tested them.
>
> We will provide a hotfix for this problem as soon as possible.
>
>
>
> ----------
> From: Mark Joseph Edwards[SMTP:mark@ntshop.net]
> Sent: Thursday, February 20, 1997 9:39 AM
> To: 'bugtraq@netspace.org'
> Cc: 'ntbugtraq@rc.on.ca'; 'ntsecurity@iss.net'
> Subject: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
>
>
> MICROSOFT IIS AND ACTIVE SERVER ADVISORY
> Security Hole in ASP Discovered in Microsoft ASP
> February 20, 1997
>
> DESCRIPTION
> A serious security hole was found in Microsoft's Active Server Pages
> (ASP) by Juan T. Llibre <j.llibre@codetel.net.do>. This hole allows
> Web clients to download unprocessed ASP files potentially exposing
> user ids and passwords. ASP files are the common file type used by
> Microsoft's IIS and Active Server to perform server-side processing.
>
> HOW IT WORKS
> To download an unprocessed ASP file, simply append a period to the asp
> URL. For example: http://www.domain1.com/default.asp becomes
> http://www.domain1.com/default.asp. With the period appendage,
> Internet Information Server (IIS) will send the unprocessed ASP file
> to the Web client, wherein the source to the file can be examined at
> will. If the source includes any security parameter designed to allow
> access to other system processes, such as an SQL database, they will
> be revealed.
>
> DEFENSE
> There are two known ways to stop this behavior:
>
> 1.Turn read permissions off of the ASP directory in the Internet
> Service Manager. This may not be a practical solution since many sites
> mix ASP and HTML files. If your site mixes these files together in the
> same directories, you may want to segregate them immediately. Now and
> in the future, treat your ASP files like any other Web based
> executable, and keep them in separate directories wherein permissions
> can be adjusted accordingly.
>
> 2.Download this filter written by Christoph Wille
> Christoph.Wille@unileoben.ac.at which can be located at
> http://www.ntshop.net/security/tools/sechole.zip or from
> http://www.genusa.com/asp/patch/sechole.zip
>
> END OF ADVISORY
>
