[ Home Page ][ NT Security Risks Archive ] [Image]
                                                                            NT
[ NT Security Tools ][ NT Security Books at ComputerLiteracy.com ]    SECURITY
[ Contact Information ][  Advertise on This Site   ]                     NEWS
[  Translate This Page   ]                                             7/27/99

                            [Free Tibet NOW!]

                           Viewing Files with IIS
                  Reported May 8, 1999 by Andrey Kruchkov

 VERSIONS EFFECTED

    * Microsoft Site Server 3.0, which is included with Microsoft Site
      Server 3.0 Commerce Edition, Microsoft Commercial Internet System
      2.0, and Microsoft BackOffice Server 4.0 and 4.5

    * Microsoft Internet Information Server 4.0

 DESCRIPTION

 Andrey Kruchkov reported a problem with Site Server 3.0 on March 31,
 1999, where certain virtual directories contain files that could lead to
 exposure of sensitive system information. The ASP scripts ShowCode.asp,
 ViewCode.asp, CodeBrws.asp and Winmsdp.exe can be used to obtain the
 contents of a file on the systems disks.

 DEMONSTRATION

 The following URL could be used to obtain the contents of the BOOT.INI
 file (wrapped for readability):

 http://somesite-name-here/msadc/Samples/SELECTOR/showcode.asp?
 source=/msadc/Samples/../../../../../boot.ini

 Likewise, similar URLs could be used to obtain any file on the system.
 For example, Daniel Saito points out that CODEBRWS.ASP can be used to
 view Outlook mail folders (wrapped for readability):

 http://some-sitename-here/iissamples/exair/howitworks/codebrws.asp?
 source=/../../winnt/Profiles/Administrator/Application%20Data/Microsoft/
 Outlook%20Express/Mail/inbox.mbx

 VENDOR COMMENTS

 Microsoft issued a bulletin (MS99-013) regarding this problem, and
 recommends users read Support Online article Q231368. The bulletin
 states:

 "Customers should take the following steps to eliminate the vulnerability
 on their web servers:

 - Unless the affected file viewers are specifically required on the web
 site, they should be removed. The following file viewers are affected:
 ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe. Depending on
 the specific installation, not all of these files may be present on a
 server. Likewise, there may be multiple copies of some files, so
 customers should do a full search of their servers to locate all copies.

 - In accordance with standard security guidelines, file permissions
 should always be set to enable web visitors to access only the files they
 need, and no others. Moreover, files that are needed by web visitors
 should provide the least privilege needed; for example, files that web
 visitors need to be able to read but not write should be set to
 read-only.

 - As a general rule, sample files and vroots should always be deleted
 from a web server prior to putting it into production. If they are
 needed, file access permissions should be used to regulate access to them
 as appropriate."

 CREDITS
 Discovered by Andrey Kruchkov
 Posted here at The NT Shop on May 9, 1999

                      [WebTrends Security Analyzer!]

            Copyright (c) 1995-1999, M.E. - ALL RIGHTS RESERVED
               Unauthorized duplication expressly prohibited
            LINK TO THIS PAGE INSTEAD OF VIOLATING OUR COPYRIGHT