IIS ASP dot bug

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: aspsource
Platforms: Windows NT
Description:

This version of Microsoft Internet Information Server (IIS) displays the source to active server pages (.asp files), if a period is appended to the URL. Scripting information, in addition to other data in the file, is visible.

Potentially proprietary web server files (such as .ASP, .HTX, and .IDC file name extensions) may contain sensitive information (such as user IDs and passwords) embedded in the source code but not normally available to remote users.
Remedy:

Upgrade to the latest version of Microsoft IIS at http://www.microsoft.com/iis.

—OR—

If upgrading to the latest version is not possible, download the patch provided by Microsoft from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp2/iis-fix.

Temporary Fix: Disable read permissions for the ASP directory in the Internet Service Manager. This may not be a practical solution since many sites mix ASP and HTML files. If your site mixes these files together in the same directories, segregate them immediately. ASP files should be treated as any other web-based executable and kept in separate directories where permissions can be adjusted.
References:

Microsoft Knowledge Base Article Q163485, Active Server Pages Script Appears in Browser, http://support.microsoft.com/support/kb/articles/q163/4/85.asp

Microsoft Knowledge Base Article Q164059, IIS Execution File Text Can Be Viewed in Client, http://support.microsoft.com/support/kb/articles/q164/0/59.asp

Microsoft Internet Information Server Home Page, Microsoft Windows NT Server Web Services, http://www.microsoft.com/iis/default.asp

BUGTRAQ Mailing List, Paul Leach (paulle@MICROSOFT.COM), Re: Major Security Hole in MS ASP, http://geek-girl.com/bugtraq/1997_1/0197.html

BUGTRAQ Mailing List, Mark Joseph Edwards (mark@NTSHOP.NET), Major Security Hole in MS ASP, http://geek-girl.com/bugtraq/1997_1/0191.html

The NT Shop, Microsoft IIS and Active Server Advisory, http://www.ntsecurity.net/security/asp-files.htm

Microsoft Knowledge Base Article Q163485, Active Server Pages Script Appears in Browser, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/iis-fix/Q163485.txt

Microsoft Knowledge Base Article Q164059, IIS Execution File Text Can Be Viewed in Client, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/iis-fix/Q164059.txt
X-Force Logo
Know Your Risks