IIS ASP dot bug

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: Aspdot check
Platforms: IIS: 3.0 and earlier
Description:

This version of Microsoft Internet Information Server (IIS) displays the source to active server pages (.asp files), if a period is appended to the URL. Scripting information, in addition to other data in the file, is visible.

Potentially proprietary web server files (such as .ASP, .HTX, and .IDC file name extensions) may contain sensitive information (such as user IDs and passwords) embedded in the source code but not normally available to remote users.
Remedy:

Upgrade to latest version of Microsoft Internet Information Server at http://www.microsoft.com/iis. If upgrading to the latest version is not possible, download and apply the iis-fix patch.

To download and install the patch, follow these steps:

  1. Open a web browser.
  2. Go to ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix.
  3. Read the notices prior to installation by clicking on them.
  4. Download the IISFIX.EXE patch to your system by selecting it.
  5. Locate and execute the file you just downloaded to your system.
  6. Follow the instructions to install the patch.

Temporary Fix: Disable read permissions for the ASP directory in the Internet Service Manager. This may not be a practical solution since many sites mix ASP and HTML files. If your site mixes these files together in the same directories, segregate them immediately. ASP files should be treated as any other web-based executable and kept in separate directories where permissions can be adjusted.
References:

Microsoft Knowledge Base Article Q163485, Active Server Pages Script Appears in Browser, http://support.microsoft.com/support/kb/articles/q163/4/85.asp p

Microsoft Knowledge Base Article Q163485, Active Server Pages Script Appears in Browser, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postsp2/iis-fix/Q163485.txt t40/hotfixes-postSP2/iis-fix/Q163485.txt.

BUGTRAQ Mailing List, Paul Leach (paulle@MICROSOFT.COM), Re: Major Security Hole in MS ASP, http://geek-girl.com/bugtraq/1997_1/0197.html

BUGTRAQ Mailing List, Mark Joseph Edwards (mark@NTSHOP.NET), Major Security Hole in MS ASP, http://geek-girl.com/bugtraq/1997_1/0191.html

The NT Shop, Microsoft IIS and Active Server Advisory, http://www.ntsecurity.net/security/asp-files.htm
X-Force Logo
Know Your Risks