-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-20010001.htm Title: ASP source code retrieved with Unicode extension Advisory Code: VIGILANTE-2001001 Author: Hack Kampbjørn Release Date: 2001-06-22. System affected: Windows NT4 + IIS4 + sp3 (on FAT) Windows 2000 Server (on FAT) Windows 2000 Server + sp2 (on FAT) Systems not affected: Windows NT4 + IIS4 + sp3 (on NTFS) Windows 2000 Server (on NTFS) Windows 2000 Server + sp2 (on NTFS) The problem: Active Server Pages (ASP) are web scripts that are executed on the Internet Information Server (IIS) and the result is send to the user. IIS determines if a file is an ASP script or not by the .asp extension. With Unicode there are many ways the asp extension can be encoded. On FAT file systems some of them will not be recognized as an ASP script by IIS and executed on the server but instead IIS will disclouse the source code of the script. Vendor status: Microsoft contacted 2001-05-28 and responded the same day: "The Microsoft Security Response Center has investigated the report, but we note that the problem as reported would only affect an IIS server that has been configured to use a FAT volume. However, by design, FAT doesn't provide a security mechanism, and it's never an appropriate file system to use on a production web server. Instead, as discussed in Microsoft's best practices guides and security checklists (http://www.microsoft.com/technet/security/tools.asp), production servers should always use NTFS volumes. The reported problem does not affect systems using NTFS". Vulnerability Assessment: A test-case to detect this vulnerability was added to SecureScan NX on June 22, 2001 Fix: As a workaround convert the file system to NTFS. And consider removing reading access right for the IUSR_<hostname> from ASP scripts (only giving IUSR_<hostname> execute rights) In general follow Microsoft's Security Best Practices: http://www.microsoft.com/technet/security/bestprac.asp Internet Information Server 4.0 Security Checklist: http://www.microsoft.com/technet/security/iischk.asp or Secure Internet Information Services 5 Checklist: http://www.microsoft.com/technet/security/iis5chk.asp Copyright VIGILANTe.com, Inc. 2001-06-22 Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: Please send suggestions, updates, and comments to isisat_private VIGILANTe Vulnerability Disclosure Policy: http://www.vigilante.com/inetsecurity/advisories/vulnerability_disclosure_po licy.htm -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOzMSWjd8ND1g89RXEQJf6gCeJHpFjB633ecTsNWPySsy6iCiJokAnAjE uiYv253sm6J+YSxw9FpVRufl =kymm -----END PGP SIGNATURE----- >>>> VIGILANTe.com NOTICE - AUTOMATICALLY INSERTED <<<< The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any opinions expressed in this email are those of the individual and not necessarily the Company. If you receive this transmission in error, please email to postmasterat_private, including a copy of this message. Please then delete this email and destroy any copies of it. >>>>>>>>>>>>>>>>>>>>>>>>>> DISCLAIMER END <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 09:56:49 PDT