Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP
From: paulle () MICROSOFT COM (Paul Leach)
Date: Thu, 20 Feb 1997 13:51:04 -0800

Microsoft is aware of this problem and working on a hotfix now. As
soon as the fix is available, it will be posted to our ftp site, and
we will reply to this mail with details on how to download and apply
the fix.

More information:

This problem affects any script-mapped files that are requested from a
virtual directory which has both Read and Execute permissions set. In
this case, adding one or more extra periods onto the end of the URL
will cause the file to be displayed in the browser instead of executed
on the server. This would allow clients of your web site to see any
script code or other content in the script source file. This problem
affects any script-mapped files -- asp, htx/idc, etc. -- it is not
limited to just .asp files.

Until we have the fix ready, if you have any sensitive content in your
script files, the only precaution that we know prevents this problem
is to turn off virtual directory Read permissions on directories
containing .asp files. Note: this will make other files (.htm, .gif)
in the same directory inaccessible as well, so it may necessitate some
content restructuring. Third parties on this and other mailing lists
have suggested other solutions, but we have not tested them.

We will provide a hotfix for this problem as soon as possible.

From:         Mark Joseph Edwards[SMTP:mark () ntshop net]
Sent:         Thursday, February 20, 1997 9:39 AM
To:   'bugtraq () netspace org'
Cc:   'ntbugtraq () rc on ca'; 'ntsecurity () iss net'
Subject:      [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP

               Security Hole in ASP Discovered in Microsoft ASP
                              February 20, 1997

A serious security hole was found in Microsoft's Active Server Pages
(ASP) by Juan T. Llibre <j.llibre () codetel net do>. This hole allows
Web clients to download unprocessed ASP files potentially exposing
user ids and passwords. ASP files are the common file type used by
Microsoft's IIS and Active Server to perform server-side processing.

To download an unprocessed ASP file, simply append a period to the asp
URL. For example: http://www.domain1.com/default.asp becomes
http://www.domain1.com/default.asp. With the period appendage,
Internet Information Server (IIS) will send the unprocessed ASP file
to the Web client, wherein the source to the file can be examined at
will. If the source includes any security parameter designed to allow
access to other system processes, such as an SQL  database, they will
be revealed.

There are two known ways to stop this behavior:

1.Turn read permissions off of the ASP directory in the Internet
Service Manager. This may not be a practical solution since many sites
mix ASP and HTML files. If your site mixes these files together in the
same directories, you may want to segregate them immediately. Now and
in the future, treat your ASP files like any other Web based
executable, and keep them in separate directories wherein permissions
can be adjusted accordingly.

2.Download this filter written by Christoph Wille
Christoph.Wille () unileoben ac at which can be located at
http://www.ntshop.net/security/tools/sechole.zip or from


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]