mailing list archives
[VIGILANTE-2001001] ASP source code retrieved with Unicode extens ion
From: Hack Kampbjørn <hack.kampbjorn () vigilante com>
Date: Fri, 22 Jun 2001 14:19:06 +0200
-----BEGIN PGP SIGNED MESSAGE-----
ASP source code retrieved with Unicode extension
Windows NT4 + IIS4 + sp3 (on FAT)
Windows 2000 Server (on FAT)
Windows 2000 Server + sp2 (on FAT)
Systems not affected:
Windows NT4 + IIS4 + sp3 (on NTFS)
Windows 2000 Server (on NTFS)
Windows 2000 Server + sp2 (on NTFS)
Active Server Pages (ASP) are web scripts that are executed on
the Internet Information Server (IIS) and the result is send to
the user. IIS determines if a file is an ASP script or not by
the .asp extension.
With Unicode there are many ways the asp extension can be
encoded. On FAT file systems some of them will not be
recognized as an ASP script by IIS and executed on the server
but instead IIS will disclouse the source code of the script.
Microsoft contacted 2001-05-28 and responded the same day:
"The Microsoft Security Response Center has investigated the
report, but we note that the problem as reported would only
affect an IIS server that has been configured to use a FAT
volume. However, by design, FAT doesn't provide a security
mechanism, and it's never an appropriate file system to use on
a production web server. Instead, as discussed in Microsoft's
best practices guides and security checklists
production servers should always use NTFS volumes. The reported
problem does not affect systems using NTFS".
A test-case to detect this vulnerability was added to
SecureScan NX on June 22, 2001
As a workaround convert the file system to NTFS. And consider
removing reading access right for the IUSR_<hostname> from ASP
scripts (only giving IUSR_<hostname> execute rights)
In general follow Microsoft's Security Best Practices:
Internet Information Server 4.0 Security Checklist:
or Secure Internet Information Services 5 Checklist:
Copyright VIGILANTe.com, Inc. 2001-06-22
The information within this document may change without notice.
Use of this information constitutes acceptance for use in an AS
IS condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any
consequences whatsoever arising out of or in connection with
the use or spread of this information. Any use of this
information lays within the user's responsibility.
Please send suggestions, updates, and comments to
isis () vigilante com
VIGILANTe Vulnerability Disclosure Policy:
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
-----END PGP SIGNATURE-----
VIGILANTe.com NOTICE - AUTOMATICALLY INSERTED <<<<
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.
Any opinions expressed in this email are those of the individual and not
necessarily the Company.
If you receive this transmission in error, please email to
postmaster () vigilante com, including a copy of this message. Please then
delete this email and destroy any copies of it.
DISCLAIMER END <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
- [VIGILANTE-2001001] ASP source code retrieved with Unicode extens ion Hack Kampbjørn (Jun 22)