Lucene search
ms.iis4.showcode.txt
Microsoft IIS 4.0 allows unauthorized ASP source code and sensitive file access via showcode.asp.
Show more
`
L0pht Security Advisory
-------------
URL Origin: http://www.l0pht.com/advisories.html
Release Date: May 7th, 1999
Application: Microsoft IIS 4.0 Web Server
Severity: Web users can view ASP source code and other sensitive
files on the web server
Author: [email protected]
Operating Sys: Microsoft NT Server 4.0
--------------
I. Description
Internet Information Server (IIS) 4.0 ships with a set of sample files
to help web developers learn about Active Server Pages (ASP). One of
these sample files, showcode.asp, is designed to view the source
code of the sample applications via a web browser. The showcode.asp
file does inadequate security checking and allows anyone with a web
browser to view the contents of any text file on the web server. This
includes files that are outside of the document root of the web
server.
Many ecommerce web servers store transaction logs and other customer
information such as credit card numbers, shipping addresses, and
purchase information in text files on the web server. This is the
type of data that could be accessed with this vulnerability.
The L0pht would like to thank Parcens for doing the initial research on
this problem.
II. Details
The showcode.asp file is installed by default at the URL:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp
It takes 1 argument in the URL, which is the file to view. The format of
this argument is:
source=/path/filename
So to view the contents of the showcode.asp file itself the URL would be:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp
This looks like a fairly dangerous sample file. It can view the contents
of files on the system. The author of the ASP file added a security check
to only allow the viewing of the sample files which were in the '/msadc'
directory on the system. The problem is the security check does not test
for the '..' characters within the URL. The only checking done is if the
URL contains the string '/msadc/'. This allows URLs to be created that
view, not only files outside of the samples directory, but files anywhere
on the entire file system that the web server's document root is on.
For example, a URL that will view the contents of the boot.ini file, which
is in the root directory of an NT system is:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini
This URL requires that IIS 4.0 was installed in its default location.
III. Solution
For production servers, sample files should never be installed so delete
the entire /msadc/samples directory. If you must have the showcode.asp
capability on development servers the showcode.asp file should be modified
to test for URLs with '..' in them and deny those requests.
For specific questions about this advisory, please contact
[email protected]
---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------
-------------------------------------------------------------------------------
Date: Fri, 7 May 1999 11:39:41 -0700
From: Michael Howard <[email protected]>
To: [email protected]
Subject: Re: L0pht Advisory: NT IIS 4.0 - showcode file viewing vulnerability
fyi
there's a couple of kb's on this kind of thing
Q184717 - AspEnableParentPaths MetaBase Property Should Be Set To False
as well as one on removing samples.
also note, that the exair sample (which is NOT installed by default) also
has showcode functionality.
Cheers, MH
IIS Security PM
-------------------------------------------------------------------------------
Date: Fri, 7 May 1999 18:19:11 -0400
From: Russ <[email protected]>
To: [email protected]
Subject: Exploit of Examples - Part 2
As some of you may have noticed, Weld Pond of the l0pht submitted a
message to Bugtraq earlier today regarding an exploit in an IIS 4.0
sample file called showcode.asp.
Shortly thereafter, WebTrends Corporation, through their "SecureTrends
Security Advisory" mechanism, released 3 exploits of example code, 2 in
IIS 4.0 and 1 in Site Server 3.0.
WebTrends were also reporting the showcode.asp exploit, as well as an
exploit in codebrws.asp (both from IIS 4.0). They also reported an
exploit in viewcode.asp (from Site Server 3.0 Commerce Edition).
According to Microsoft, WebTrends had reported this to them back on
4/27.
All 3 reports result in the same vulnerability, the ability to do "../"
up the directory tree and read files.
As I said back in January;
http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9901&L=NTBU
GTRAQ&D=0&P=6155&F=P
the actual vulnerability here is in the fact that samples were installed
and left on the box. Both WebTrends and Microsoft indicated that they
had seen far more IIS and Site Server sites that were both accessible,
and still had sample files on them, than expected.
Microsoft will be releasing information in their Security Bulletin
MS99-013 later today indicating better ACL settings and the like to make
these samples less of a risk. In the meantime, if you have any of these
files on your exposed machines, remove them (at least temporarily), or
restrict access to them.
Sample code that is not intended to be secure, may be exploitable. If we
stand for "security advisories" about exploits in sample files, we are
simply saying we do not want Vendors to provide us with sample files any
more. I, for one, do not want this. Vendors will never accept the
liability of telling you that "this is a secure implementation". This is
up to you, and your security policy, not the Vendor. So if a particular
sample can be exploited, it may well be because it was not intended to
be secure in a production environment (i.e. accessible with modification
>from default installation). Anyone thinking to use such files as part of
a product system will, its assumed, have gone over all of the potential
security vulnerabilities, including file permissions and such for the
sample files. If that's done, then these samples are no more insecure
than any other code.
WebTrends Press Release:
http://www.webtrends.com/news/releases/release.asp?id=81
l0pht Press Release:
http://www.l0pht.com/advisories/showcode.txt
Cheers,
Russ - NTBugtraq moderator
-------------------------------------------------------------------------------
Date: Fri, 7 May 1999 21:58:18 -0700
From: [email protected]
To: [email protected]
Subject: Microsoft Security Bulletin (MS99-013)
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-013)
--------------------------------------
Solution Available for File Viewers Vulnerability
Originally Posted: May 7, 1999
Summary
=======
Microsoft has identified a vulnerability that occurs in some file viewers
that ship as part of Microsoft (r) Internet Information Server and Site
Server. The vulnerability could allow a web site visitor to view, but not to
change, files on the server, provided that they knew or guessed the name of
each file and had access rights to it based on Windows NT ACLs.
Microsoft is releasing this security bulletin to inform customers of the
vulnerability and enable them to eliminate it immediately. Patches are being
developed for the affected file viewers, and will be available shortly. When
they are available, an update to this security bulletin will be released.
Issue
=====
Microsoft Site Server and Internet Information Server include tools that
allow web site visitors to view selected files on the server. These are
installed by default under Site Server, but must be explicitly installed
under IIS. These tools are provided to allow users to view the source code
of sample files as a learning exercise, and are not intended to be deployed
on production web servers. The underlying problem in this vulnerability is
that the tools do not restrict which files a web site visitor can view.
It is important to note several important points:
- These file viewers are not installed by default under IIS.
They are only installed under IIS if the user chooses to install
the sample web files.
- This vulnerability only allows a web site visitor to view files.
There is no capability through this vulnerability to change files
or add files to the server.
- This vulnerability does not in any way bypass the Windows NT file
permission ACLs. A web site visitor could only use these tools to
view files whose ACLs allows them read access. The administrator of
the web server determines the specific permissions for all files on
the server.
- The viewers can only be used to view files on the same disk partition
as the currently-displayed web page. Databases such as those used by
e-commerce servers are typically stored on a different physical drive,
and these would not be at risk
- The web site visitor would need to know or guess the name of each file
they wished to view.
Specific steps that customers can take to immediately eliminate the
vulnerability are discussed below in What Customers Should Do. In addition,
Microsoft is developing updated versions of the file viewers and will
release them shortly.
While there are no reports of customers being adversely affected by this
vulnerability, Microsoft is proactively releasing this bulletin to allow
customers to take appropriate action to protect themselves against it.
Affected Software Versions
==========================
- Microsoft Site Server 3.0, which is included with Microsoft Site
Server 3.0 Commerce Edition, Microsoft Commercial Internet
System 2.0, and Microsoft BackOffice Server 4.0 and 4.5
- Microsoft Internet Information Server 4.0
What Microsoft is Doing
=======================
Microsoft has provided this bulletin to inform customers of specific steps
that they can take to immediately eliminate this vulnerability on their
servers. Microsoft is developing updated file viewers that fix the problem
identified, and will release an updated version of this bulletin when they
are available.
Microsoft also has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
(Note: It might take 24 hours from the original posting of this
bulletin for the KB article to be visible in the Web-based
Knowledge Base.)
What Customers Should Do
========================
Customers should take the following steps to eliminate the vulnerability on
their web servers:
- Unless the affected file viewers are specifically required on the
web site, they should be removed. The following file viewers are
affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe.
Depending on the specific installation, not all of these files may
be present on a server. Likewise, there may be multiple copies of
some files, so customers should do a full search of their servers
to locate all copies.
- In accordance with standard security guidelines, file permissions
should always be set to enable web visitors to access only the files
they need, and no others. Moreover, files that are needed by web
visitors should provide the least privilege needed; for example,
files that web visitors need to be able to read but not write should
be set to read-only.
- As a general rule, sample files and vroots should always be deleted
from a web server prior to putting it into production. If they are
needed, file access permissions should be used to regulate access to
them as appropriate
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-013,
Solution Available for File Viewers Vulnerability
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this
vulnerability and reporting it to us.
Revisions
=========
- May 07, 1999: Bulletin Created.
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
--------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to [email protected]
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
-------------------------------------------------------------------------------
Date: Sat, 8 May 1999 09:40:40 -0700
From: David LeBlanc <[email protected]>
To: [email protected]
Subject: Re: Exploit of Examples - Part 2
At 06:19 PM 5/7/99 -0400, Russ wrote:
>All 3 reports result in the same vulnerability, the ability to do "../"
>up the directory tree and read files.
>
>As I said back in January;
>
>http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9901&L=NTBU
>GTRAQ&D=0&P=6155&F=P
>
>the actual vulnerability here is in the fact that samples were installed
>and left on the box. Both WebTrends and Microsoft indicated that they
>had seen far more IIS and Site Server sites that were both accessible,
>and still had sample files on them, than expected.
As Michael Howard pointed out on BUGTRAQ, one of the other issues common to
each of these is accessing paths below the current directory. There is a
KB article on this - "Q184717 - AspEnableParentPaths MetaBase Property
Should Be Set To False".
Another known issue along these lines is indexing your source pages. It is
usually best to place everything you're going to index in a specfic
directory or tree. I'd also point out that chapter 8 of the IIS Resource
Kit should be required reading for anyone setting up a web site.
David LeBlanc
[email protected]
-------------------------------------------------------------------------------
Date: Mon, 10 May 1999 15:09:43 -0700
From: Aleph One <[email protected]>
To: [email protected]
Subject: Re: Exploit of Examples - Part 2
On Sat, May 08, 1999 at 09:40:40AM -0700, David LeBlanc wrote:
>
> As Michael Howard pointed out on BUGTRAQ, one of the other issues common to
> each of these is accessing paths below the current directory. There is a
> KB article on this - "Q184717 - AspEnableParentPaths MetaBase Property
> Should Be Set To False".
What Michael could not awnser is whether AspEnableParentPaths only
stops pathnames that start with ".." or also works with pathnames
where ".." is embedded somewhere else than at the begining (like the
last exploit).
>
> Another known issue along these lines is indexing your source pages. It is
> usually best to place everything you're going to index in a specfic
> directory or tree. I'd also point out that chapter 8 of the IIS Resource
> Kit should be required reading for anyone setting up a web site.
>
>
> David LeBlanc
> [email protected]
>
--
Aleph One / [email protected]
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
-------------------------------------------------------------------------------
Date: Wed, 19 May 1999 18:04:43 -0700
From: [email protected]
To: [email protected]
Subject: Update to Microsoft Security Bulletin (MS99-013)
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Update to Microsoft Security Bulletin (MS99-013)
------------------------------------------------
Patches Available for File Viewers Vulnerability
Originally Posted: May 7, 1999
Updated: May 19, 1999
Summary
=======
This is an update to Microsoft Security Bulletin MS99-013. The purpose of
the update is to advise customers of the availability of patches that
eliminate a vulnerability that occurs in some file viewers included in
Microsoft (r) Internet Information Server and Site Server. The vulnerability
could allow a web site visitor to view, but not to change, files on the
server, provided that they knew or guessed the name of each file and had
access rights to it based on Windows NT ACLs.
Issue
=====
Microsoft Site Server and Internet Information Server include tools that
allow web site visitors to view selected files on the server. These are
installed by default under Site Server, but must be explicitly installed
under IIS. These tools are provided to allow users to view the source code
of sample files as a learning exercise, and are not intended to be deployed
on production web servers. The underlying problem in this vulnerability is
that the tools do not restrict which files a web site visitor can view.
It is important to note several important points:
- These file viewers are not installed by default under IIS.
- The web site visitor would need to know or guess the name
of each file they wished to view.
- This vulnerability only allows a web site visitor to view
files, not to change them or to create new ones.
- The file viewers are subject to normal Windows NT file
permission ACLs. A web site visitor could only use the file
viewers to read files for which they have read access.
- The viewers can only be used to view files on the same disk
partition as the currently-displayed web page. Databases such
as those used by e-commerce servers are typically stored on a
different physical drive, and these would not be at risk.
While there are no reports of customers being adversely affected by this
vulnerability, Microsoft is proactively releasing this bulletin to allow
customers to take appropriate action to protect themselves against it.
Affected Software Versions
==========================
- Microsoft Site Server 3.0, which is included with Microsoft
Site Server 3.0 Commerce Edition, Microsoft Commercial
Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5
- Microsoft Internet Information Server 4.0
What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.
Microsoft also has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
- Microsoft Knowledge Base (KB) article Q231656,
Preventing Viewcode.asp from Viewing Known Server Files,
http://support.microsoft.com/support/kb/articles/q231/6/56.asp.
(Note: It might take 24 hours from the posting of the bulletin for the
updates to the KB articles to be visible in the Web-based Knowledge Base.)
What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. The patch can be found at:
- Internet Information Server:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
- Site Server:
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes
/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/
NOTE: The above URLs have been word-wrapped for readability.
Microsoft has provided a checklist that customers can use to ensure that
their web servers have been properly secured. This checklist is available
at http://www.microsoft.com/security/products/iis/checklist.asp
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-013,
Patches Available for File Viewers Vulnerability
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
- Microsoft Knowledge Base (KB) article Q231656,
Preventing Viewcode.asp from Viewing Known Server Files,
http://support.microsoft.com/support/kb/articles/q231/6/56.asp.
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on contacting
Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this
vulnerability and reporting it to us.
Revisions
=========
- May 07, 1999: Bulletin Created.
- May 19, 1999: Bulletin updated to provide patch information.
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
-----------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to [email protected]
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4