Great Circle Associates Firewalls
(March 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: (Fwd) IIS Security problem/Hotfix Available
From: "Michael Cunningham" <mjcunnin @ paranet . com>
Organization: Paranet
Date: Thu, 6 Mar 1997 00:57:45 +0000
To: firewalls @ greatcircle . com
Comments: Authenticated sender is <mjcunnin @ pop . srv . paranet . com>
Reply-to: mjcunnin @ paranet . com 
Microsoft recently learned about about a bug that affects all versions
of Internet Information Server. We take these issues very seriously,
and wanted to share information on the problem, and how to download
the patch.
 
The problem affects any script-mapped files that are requested from a
virtual directory that has both Read and Execute permissions set,
including files with the following extentions: .ASP, .IDQ, .IDC, .PL,
etc.  Adding one or more extra periods onto the end of the URL will
cause the contents of the script to be displayed in the browser
instead of executed on the server, allowing end-users to see
information that may be confidential, such as server-side script
logic. For example, it might be possible for an end-user to see the
discount applied to the retail price from a database.  For more
information on the bug, please refer to:
http://www.microsoft.com/iis/iisnews/hotnews/security.htm
 
To download the hotfix, please connect to:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-p
ostsp2/iis-fix. (Note: the hotfix depends on having either Windows NT
Server 4.0 Service Pak 1a or Service Pak 2 installed. Please review
the readme.lst for more information).
 
Additionally, Microsoft recommends that customers store static pages and 
dynamic script pages in different virtual directories to ensure highest 
levels of security. It is further recommended to minimize your confidential 
information in script code.
 
We apologize for the inconvenience this issue may have caused you. Our
customers are key to helping keep Internet Information Server the most
powerful, secure, high performance server available -- thank you again
for your support. Please email any comments or concerns to
iiswish @
 microsoft .
 com .
 
 
Sincerely,
The Microsoft Internet Information Server Team
 
 
To keep our customers informed about our latest products and services,
Microsoft sends notifications via electronic mail.  If you would
prefer to not receive these notifications, please send e-mail to
microsoft-request @
 microsoft .
 nwnet .
 com with

  unsubscribe iis-eval-news

on a line all by itself in the body of the message.
Indexed By Date Previous: login and authsrv
From: Joseph Judge <joej @ joesmac . ultranet . com>
Next: Single Sign on
From: Rinus Merks <rinusm @ eh1 . mey . nl>
Indexed By Thread Previous: login and authsrv
From: Joseph Judge <joej @ joesmac . ultranet . com>
Next: (Fwd) IIS Security problem/Hotfix Available -Reply
From: "Robert S. Pekel" <rspekel @ atapco-opg . com>
Google
 
Search Internet Search www.greatcircle.com