[INLINE] [INLINE] [INLINE] NSFOCUS Security Advisory(SA2000-02) Topic: IIS ISM.DLL truncation exposes file content Release Date: July 17, 2000 Affected software version: =========================== Microsoft Internet Information Server 4.0 Microsoft Internet Information Server 5.0 Platform: ========== Windows NT 4.0 and Windows 2000 Impact: ========= NSFOCUS security team found a vulnerability in Microsoft IIS 4.0/5.0 . Attacker can obtain the contents of certain types of files (.asp,.asa,.ini...) in Microsoft Internet Information Server 4.0 or 5.0., which is normally not accessible. Attacker may get some sensitive data from these files. Description: ============== By requesting an existing filename (for example, global.asa) with an appendage of "+" and extention of ".htr" from Microsoft Internet Information Server 4.0/5.0 , IIS will be tricked to call ISM.DLL ISAPI application to deal with this request. When "+" is found in the filename, ISM.DLL will truncate the "+.htr" and open the target file(global.asa). If the target file is not ".htr" file , part of target file source code will be exposed to the attacker. For example, attacker can retrieve the content of global.asa which often contains some sensitive information such as SQL server's username and password. Exploit: ========== Put this URL in your browser and view the source code of returned page: http://www.victim.com/global.asa+.htr Workaround: =========== If you don't need HTR function, remove the script mapping for HTR. Solution: =========== Microsoft has been informed and released one security bulletin concerning this flaw. The bulletin is live at : [1]http://www.microsoft.com/technet/security/bulletin/MS00-044.asp Patches are available at: IIS 4.0: [2]http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 IIS 5.0: [3]http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 Copyright: ========== July 17, 2000: Advisory Created. - -------------------------------------------------------- THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ©Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[4]security@nsfocus.com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD ([5]http://www.nsfocus.com) ©Copyright 2000 NSFOCUS Information Technology Co.,Ltd. All Rights Reserved. Contact:[6]webmaster@nsfocus.com References 1. http://www.microsoft.com/technet/security/bulletin/MS00-044.asp 2. http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 3. http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 4. mailto:security@nsfocus.com 5. http://www.nsfocus.com/ 6. mailto:webmaster@nsfocus.com