DATE: COMMAND SOURCE: AUTHOR: ASP SYSTEMS AFFECTED Win NT PROBLEM A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan T. Llibre <firstname.lastname@example.org>. This hole allows Web clients to download unprocessed ASP files potentially exposing user ids and passwords. ASP files are the common fi le type used by Microsoft's IIS and Active Server to perform server-side processing. To download an unprocessed ASP file, simply append a period to the asp URL. For example: http://www.domain1.com/default.asp becomes http://www.domain1.com/default.asp. With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed. Paul Leach <paulle@MICROSOFT.COM> forwarded Microsoft's statement. "This problem affects any script-mapped files that are requested from a virtual directory which has both Read and Execute permissions set. In this case, adding one or more extra periods onto the end of the URL will cause the file to be displayed in the browser instead of executed on the server. This would allow clients of your web site to see any script code or other content in the script source file. This problem affects any script-mapped files - .asp, .idq htx/idc, .pl etc. - it is not limited to just .asp files." EXPLOIT SOLUTION There are three known ways to stop this behavior: 1. Turn read permissions off of the ASP directory in the Internet Service Manager. This may not be a practical solution since many sites mix ASP and HTML files. If your site mixes these files together in the same directories, you may want to segregate them immediately. Now and in the future, treat your ASP files like any other Web based executable, and keep them in separate directories wherein permissions can be adjusted accordingly. 2. Download this filter written by Christoph Wille Christoph.Wille@unileoben.ac.at which can be located at http://www.ntshop.net/security/tools/sechole.zip http://www.genusa.com/asp/patch/sechole.zip 3. Microsoft made hotfix available. To download the hotfix, connect to: ftp://ftp.microsoft.com and go to /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix. Note that the hotfix depends on having either Windows NT Server 4.0 Service Pack 1a or Service Pak 2 installed. You should review the readme.lst for more information. Additionally, Microsoft recommends that customers store static pages and dynamic script pages in different virtual directories to ensure highest levels of security. It is further recommended to minimize your confidential information in script code.