IIS Security Fixes Announced
- By Scott Bekker
- December 22, 1999
Security vulnerabilities involving Microsoft Internet Information Server and software that runs atop it - one that could give unauthorized access to a Web server and the other that could bypass the normal server-side processing of the file - have been discovered and fixed.
One vulnerability could allow files on a Web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. Request for comments (RFC) standard 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the percent sign, the so-called "escape" character. IIS complies with this standard, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.
While this vulnerability does not affect IIS, it does affect third-party applications that run atop IIS but do not perform canonicalization. Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by the vulnerability. The Intel version of the patch is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16357 and the Alpha version is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16358.
Another vulnerability could cause a Web server to send the source code of .ASP and other files to a visiting user.
If a file on one of the affected Web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case, the source code of .ASP or other files could be sent to the browser.
This vulnerability would be most likely to occur due to administrator error or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. However, an affected virtual directory could be detected during routine testing of the server.
Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by this vulnerability. The Intel version of the patch is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378 and the Alpha version is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16739. -- Isaac Slepner
Scott Bekker is editor in chief of Redmond Channel Partner magazine.