Microsoft IIS Vulnerabilities

Impact

Remote users can view files to which they should not have access.

Background

Microsoft IIS 4.0 includes sample web sites to assist web developers. It also include the files CodeBrws.asp, Code.asp, and Showcode.asp to allow web developers to view the code that makes the sample web sites work.

The Problem

These three ASP files (CodeBrws.asp, Code.asp, and Showcode.asp) could allow a remote user to view any files on the same logical disk as the ASP files. In order to exploit the vulnerability, an attacker would need to know the name and path of the file to view. Also, files whose access control lists deny read access could not be viewed by exploiting this vulnerability.

Resolutions

Delete the following files. They are for demonstration purposes only and there is usually no need for them on an operational web server. (IIS_DIRECTORY is the path to the directory containing the IIS files.) If these files are needed on your web server, then set the access control list for these files to allow access only by authorized users, or install the hotfix described in Microsoft Knowledge Base article Q232449.

Where can I read more about this?

More information on the vulnerabilities in Code.asp, Codebrws.asp, and Showcode.asp is available from Microsoft Knowledge Base article Q232449 and Microsoft Security Bulletin 99-013.