Microsoft IIS Vulnerabilities
Impact
Remote users can view files to which they should not have access.
Background
Microsoft IIS 4.0 includes sample web sites to assist web developers.
It also include the files CodeBrws.asp,
Code.asp, and Showcode.asp to allow
web developers to view the code that makes the sample web sites work.
The Problem
These three ASP files (CodeBrws.asp, Code.asp, and
Showcode.asp) could allow a remote user to view any files
on the same logical disk as the ASP files.
In order to exploit the vulnerability, an attacker would need to
know the name and path of the file to view. Also, files whose
access control lists deny read access could not be viewed by exploiting
this vulnerability.
Resolutions
Delete the following files. They are
for demonstration purposes only and there is usually no need
for them on an operational web server. (IIS_DIRECTORY
is the path to the directory containing the IIS files.)
- IIS_DIRECTORY\iissamples\Exair\Howitworks\Code.asp
- IIS_DIRECTORY\iissamples\Exair\Howitworks\Codebrws.asp
- IIS_DIRECTORY\iissamples\Sdk\Asp\Docs\Codebrws.asp
- \Program_Files\Common_Files\System\Msadc\Samples\Selector\Showcode.asp
If these files are needed on your web server, then set the
access control list for these files to allow access only by authorized users,
or install the hotfix described in
Microsoft Knowledge Base article Q232449.
Where can I read more about this?
More information on the vulnerabilities in Code.asp,
Codebrws.asp, and Showcode.asp is available
from Microsoft Knowledge Base article
Q232449 and Microsoft Security Bulletin
99-013.