- ASP

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  ASP


SYSTEMS AFFECTED

  Win NT

  

PROBLEM


    A serious  security hole  was found  in Microsoft's  Active Server

    Pages (ASP) by  Juan T. Llibre  <j.llibre@codetel.net.do>. This

    hole  allows  Web  clients  to  download  unprocessed  ASP   files

    potentially exposing  user ids  and passwords.  ASP files  are the

    common fi  le type  used by  Microsoft's IIS  and Active Server to

    perform server-side processing.



    To download  an unprocessed  ASP file,  simply append  a period to

    the  asp  URL.  For  example:   http://www.domain1.com/default.asp

    becomes   http://www.domain1.com/default.asp.   With   the  period

    appendage,  Internet  Information  Server  (IIS)  will  send   the

    unprocessed ASP file to the Web client, wherein the source to  the

    file can be examined at will. If the source includes any  security

    parameter  designed  to  allow  access  to other system processes,

    such as an SQL  database, they will be revealed.



    Paul Leach <paulle@MICROSOFT.COM> forwarded Microsoft's statement.

    "This problem affects any  script-mapped files that are  requested

    from  a  virtual  directory  which  has  both  Read  and   Execute

    permissions set. In  this case, adding  one or more  extra periods

    onto the end  of the URL  will cause the  file to be  displayed in

    the browser instead  of executed on  the server. This  would allow

    clients of your web site to  see any script code or other  content

    in the script source file. This problem affects any  script-mapped

    files - .asp, .idq htx/idc, .pl  etc. - it is not limited  to just

    .asp files."





EXPLOIT

  

SOLUTION


    There are three known ways to stop this behavior:



    1. Turn read permissions off of the ASP directory in the  Internet

       Service Manager.  This may  not be  a practical  solution since

       many sites  mix ASP  and HTML  files. If  your site mixes these

       files  together  in  the  same  directories,  you  may  want to

       segregate them immediately.  Now and in the future, treat  your

       ASP files like  any other Web  based executable, and  keep them

       in  separate  directories  wherein  permissions can be adjusted

       accordingly.



    2. Download   this   filter     written   by   Christoph     Wille

       Christoph.Wille@unileoben.ac.at which can be located at



            http://www.ntshop.net/security/tools/sechole.zip

            http://www.genusa.com/asp/patch/sechole.zip



    3. Microsoft  made  hotfix  available.  To  download  the  hotfix,

       connect to:



            ftp://ftp.microsoft.com



       and go to



            /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix.



    Note that the  hotfix depends on  having either Windows  NT Server

    4.0 Service Pack 1a or Service Pak 2 installed. You should  review

    the readme.lst for more information.



    Additionally,  Microsoft  recommends  that  customers store static

    pages and  dynamic script  pages in  different virtual directories

    to ensure highest  levels of security.  It is further  recommended

    to minimize your confidential information in script code.