Fwd: SBN Wire: Security Bulletin (WAS: Re: Aside: ability to view ASP/ColdFusion code )

Eric Germann ekgermann at cctec.com
Fri Jul 3 15:39:05 UTC 1998


>
>*** Microsoft (R) Site Builder Network ***
>
>This is special edition of the SBN Wire is to inform our
>membership of a recent security issue that pertains to
>Microsoft Internet Information Servers.  Please see the
>Security Bulletin below for details.
>
>The latest information on this matter can be found on
>http://www.microsoft.com/security.
>
>The SBN Team
>
>------------------
>
>MICROSOFT SECURITY BULLETIN (MS98-003)
>
>Hotfix available for the Microsoft Internet Information
>Server file access issue
>Last revision: July 2, 1998
>
>SUMMARY
>Recently Paul Ashton reported an issue on the NTBugtraq
>mailing list (http://www.ntbugtraq.com) that affects
>Microsoft Internet Information Servers (IIS). Web clients
>that connect to IIS can read the contents of files to which
>they have execute and read only permissions. These files
>have to be in a web server v-root directory and on an NTFS
>volume.
>
>The purpose of this bulletin is to inform Microsoft
>customers of this issue, its applicability to Microsoft
>products, and the availability of countermeasures Microsoft
>has developed to further secure its customers.
>
>ISSUE
>The native Windows NT file system, NTFS, supports multiple
>data streams within a file. The main data stream, which
>stores the primary content has an attribute called $DATA.
>Accessing this NTFS stream via IIS from a browser may
>display the script code for the file.
>
>The issue is a result of the way IIS parses filenames. The
>fix involves IIS supporting NTFS alternate data streams by
>asking Windows NT to canonicalize the filename.
>
>For the problem to occur the user must:
>
>1) Know the name of the file
>2) The ACLs on the file must allow some access (i.e. read
>and execute access)
>3) The file must reside on an NTFS partition
>
>The user cannot view files on which the ACLs are set to
>deny all access.
>
>For more information on NTFS Alternate Data Streams please
>see Microsoft Knowledge Base article Q105763.
>
>AFFECTED SOFTWARE VERSIONS
>Microsoft Internet Information Server version 3.0 and 4.0
>
>MORE INFORMATION
>Please see Microsoft Knowledge Base article Q188806 for
>more information.
>
>WHAT MICROSOFT IS DOING
>The Microsoft Product Security Response Team has produced a
>hotfix for Microsoft Internet Information Server version
>3.0.
>
>Microsoft is currently testing a hot fix for Internet
>Information Server version 4.0 which will be posted later
>today.
>
>WHAT CUSTOMERS SHOULD DO
>Microsoft strongly recommends that customers using IIS
>version 3 and 4 should apply the hotfix.
>
>IIS 3.0 (Intel x86) hotfix -
>ftp://ftp.microsoft.com/bussys/IIS/iis-
>public/fixes/usa/security/iis3-datafix/iis3fixi.exe
>
>IIS 3.0 (Alpha) hotfix -
>ftp://ftp.microsoft.com/bussys/IIS/iis-

>public/fixes/usa/security/iis3-datafix/iis3fixa.exe
>
>IIS 4.0 hotfix - This will be released later today
>
>More information on obtaining the hotfix can be found in
>Microsoft Knowledge Base article Q188806
>
>ADMINISTRATIVE WORKAROUND
>Customers who cannot apply the hot fix can use the
>following workaround to temporarily address this issue:
>
>Make the following additions to the Application Map in
>IIS4:
>
>The steps to perform this are:
>* Open the Microsoft Management Console
>* Right click on the Virtual Server in question
>* Select Properties
>* Select the Home Directory tab
>* Select Configuration
>
>Now add each of the entries noted below:
>
>.idc::$DATA
>.stm::$DATA
>.asp::$DATA
>.asa::$DATA
>.shtm::$DATA
>.shtml::$DATA
>.pl::$DATA
>
>
>In addition, the following practices can help to further
>improve security for your IIS servers:
>* Periodically review the users and groups who have access
>to the web server: Review the users and groups and their
>permissions to ensure that only valid users have the
>appropriate permissions.
>
>* Use auditing to detect for suspicious activity: Apply
>auditing controls on sensitive files and review these logs
>periodically to detect suspicious or unauthorized behavior.
>
>
>REVISIONS
>July 2, 1998: Bulletin Created
>
>For additional information on security issues at Microsoft,
>please visit www.microsoft.com/security
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
>PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
>DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
>INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
>CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
>WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
>CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
>EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
>ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO
>NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
>CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
>LIMITATION MAY NOT APPLY.
>
>Copyright 1998 Microsoft and/or its suppliers. All rights
>reserved. For Terms of Use see:
>http://support.microsoft.com/support/misc/cpyright.asp
> 

==========================================================================
  Eric Germann                                        CCTec
  ekgermann at cctec.com                                 Van Wert, OH 45891
  http://www.cctec.com                                Ph: 419 968 2640
                                                      Fax: 419 968 2641
         Network Design, Connectivity & System Integration Services 
                     A Microsoft Solution Provider



More information about the NANOG mailing list