MediumCheck or Attack Name: DATA bug
Microsoft's Internet Information Server (IIS) contains a vulnerability in how it handles the multiple data streams NTFS provides for each file. By appending the string ::$DATA, a remote user could view the contents of a file that is normally set to be acted upon by an Application Mapping, such as Active Server Pages (ASP). The attacker, however, must previously have read access to this file to view its contents.
Users of IIS previous to 3.0 should upgrade to a more recent version (3.0 or 4.0). The following hotfixes have been made available for IIS 3.0 and 4.0:
- IIS 3.0 (Intel x86) hotfix, /iis3-datafix/iis3fixi.exe
- IIS 3.0 (Alpha) hotfix, /iis3-datafix/iis3fixa.exe
- IIS 4.0 (Intel x86) hotfix, /iis4-datafix/iis4fixi.exe
- IIS 4.0 (Alpha) hotfix, /iis4-datafix/iis4fixa.exe
Microsoft Security Bulletin MS98-003, File Access Issue with Windows NT Internet Information Server (IIS), http://www.microsoft.com/security/bulletins/ms98-003.asp
Microsoft Knowledge Base Article Q188806, ::$DATA Data Stream Name of a File May Return Source, http://support.microsoft.com/support/kb/articles/q188/8/06.asp
NTBUGTRAQ Mailing List, ASP vulnerability with Alternate Data Streams, http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9807&L=NTBUGTRAQ&P=R428
Allaire Security Bulletin ASB99-03, ASB99-03: Microsoft Internet Information Server Exposure of Source Code with '::$DATA', http://www.allaire.com/handlers/index.cfm?ID=8729&Method=Full
