[4112] in bugtraq
Fw: IIS Hotfix Available
daemon@ATHENA.MIT.EDU (Derrick Bennett)
Sat Mar 1 00:32:10 1997
Date: Fri, 28 Feb 1997 18:23:17 -0800
Reply-To: Derrick Bennett <Dc-comp@IX.NETCOM.COM>
From: Derrick Bennett <Dc-comp@IX.NETCOM.COM>
To: BUGTRAQ@netspace.org
I received this today and wanted to pass it on to all those with the
asp problem.
Derrick
DC-comp@ix.netcom.com
----------
> From: Microsoft Internet Information Server Team
<msiiseval@microsoft.nwnet.com>
> To: Internet Information Server <iis-eval-info@microsoft.nwnet.com>
> Subject: IIS Hotfix Available
> Date: Friday, February 28, 1997 3:49 PM
>
> Dear Microsoft customer:
>
> Microsoft recently learned about about a bug that affects all versions
> of Internet Information Server. We take these issues very seriously,
> and wanted to share information on the problem, and how to download
> the patch.
>
> The problem affects any script-mapped files that are requested from a
> virtual directory that has both Read and Execute permissions set,
> including files with the following extentions: .ASP, .IDQ, .IDC, .PL,
> etc. Adding one or more extra periods onto the end of the URL will
> cause the contents of the script to be displayed in the browser
> instead of executed on the server, allowing end-users to see
> information that may be confidential, such as server-side script
> logic. For example, it might be possible for an end-user to see the
> discount applied to the retail price from a database. For more
> information on the bug, please refer to:
> http://www.microsoft.com/iis/iisnews/hotnews/security.htm
>
> To download the hotfix, please connect to:
>
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-p
> ostsp2/iis-fix. (Note: the hotfix depends on having either Windows NT
> Server 4.0 Service Pak 1a or Service Pak 2 installed. Please review
> the readme.lst for more information).
>
> Additionally, Microsoft recommends that customers store static pages and
> dynamic script pages in different virtual directories to ensure highest
> levels of security. It is further recommended to minimize your
confidential
> information in script code.
>
> We apologize for the inconvenience this issue may have caused you. Our
> customers are key to helping keep Internet Information Server the most
> powerful, secure, high performance server available -- thank you again
> for your support. Please email any comments or concerns to
> iiswish@microsoft.com.
>
> Sincerely,
> The Microsoft Internet Information Server Team
>
>
