[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : File Access issue with Internet Information Server

Title: File Access issue with Internet Information Server
Released by: MICROSOFT
Date: 8th July 1998
Printable version: Click here 
Microsoft Security Bulletin (MS98-003)



File Access issue with Internet Information Server



Last Revision: July 8, 1998



Summary

=======

Recently Paul Ashton reported an issue on the NTBugtraq mailing

list (http://www.ntbugtraq.com) that affects Microsoft Internet

Information Server (IIS). Web clients that connect to IIS can read

the contents of any NTFS file in an IIS v-root directory to which

they have been granted "read access". They can read these files

even if the file is marked for "applications mappings", such as

used with Active Server Pages scripts.



The purpose of this bulletin is to inform Microsoft customers of this

issue, its applicability to Microsoft products, and the availability

of countermeasures Microsoft has developed to further secure its

customers.



Issue

=====

The native Microsoft(r) Windows NT(r) file system, NTFS, supports

multiple data streams within a file. The main data stream, which stores

the primary content has an attribute called $DATA. Accessing this NTFS

stream via IIS from a browser may display the contents of a file that

is normally set to be acted upon by an Application Mapping.



For example, .ASP files are mapped such that they are executed by

the Active Server Pages scripting agent on the server, rather than

simply returning the contents of a file, as is done with standard

.htm files. Normally direct contents of the these script-mapped

files should not be returned to the user. However, by requesting the

file using the its complete data stream name, a web browser could

obtain the contents of the script file. In some cases, the file

might contain sensitive information such as embedded passwords or

other sensitive "business logic" information.



This issue does not give the user, who was able to access the script

file, the ability to alter the script on the server, or force the server

to run any arbitrary code. The only exposure here is to the plain text

contents of the script file.



The issue is a result of how IIS parses filenames. The fix involves

IIS supporting NTFS alternate data streams by asking Windows NT to

canonicalize the filename.



For the problem to occur:

 - The user must know the name of the file

 - The ACLs on the file must allow the user read access

 - The file must reside on an NTFS partition



Affected Software Versions

==========================

 - Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0

 - Microsoft Peer Web Server versions 2.0, 3.0

 - Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation



What Microsoft is Doing

=======================

The Microsoft Product Security Response Team has produced a hotfix for

Microsoft Internet Information Server versions 3.0 and 4.0.

Additionally, some administrative workarounds are included below.



What customers should do

========================

Microsoft strongly recommends that customers using IIS versions 3.0

and 4.0 should apply the hotfix.



Customers running previous versions of IIS should upgrade to a more

recent version (3.0 or 4.0).



The following hotfixes are available from the Microsoft FTP download

server under

http://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/



  IIS 3.0 (Intel x86) hotfix     /iis3-datafix/iis3fixi.exe

  IIS 3.0 (Alpha) hotfix         /iis3-datafix/iis3fixa.exe



  IIS 4.0 (Intel x86) hotfix     /iis4-datafix/iis4fixi.exe

  IIS 4.0 (Alpha) hotfix         /iis4-datafix/iis4fixa.exe



As localized versions of this hotfix are produced, they will appear

in the respective language directories under

http://ftp.microsoft.com/bussys/IIS/iis-public/fixes/(lang)/security



Administrative workaround

=========================

Customers who cannot apply the hot fix can use the following workaround

to temporarily address this issue:



Normally, web users do not need "read" access to script files, such

as .ASP files. They simply need "execute" permissions. Removing "read"

access to these files for non-administrative users will remove this

exposure.



For additional protection, the Application Maps can be modified in

IIS 4.0 to take into account the existence of the alternate data

streams. More details on this workaround are available in the

Microsoft Knowledge Base article Q188806 (see the "More Information"

section below for the URL).



In addition, the following practices can help to further improve

security for your IIS servers:



  - Periodically review the users and groups who have access to the web

    server: Review the users and groups and their permissions to ensure

    that only valid users have the appropriate permissions.

  - Use auditing to detect for suspicious activity: Apply auditing

    controls on sensitive files and review these logs periodically to

    detect suspicious or unauthorized behavior.

  - Set "read" and "execute" permissions appropriately: ASP and other

    script files do not need to be readable by users that access them

    through IIS, rather they need to be executable. Thus, it is

    advisable to remove "read" access from these files for normal users.



More Information

================

Please see the following references for more information related to

this issue.



  - Microsoft Security Bulletin 98-003, File Access issue with Internet

    Information Server (the web-posted version of this bulletin),

    http://www.microsoft.com/security/bulletins/ms98-003.htm

  - Microsoft Knowledge Base article Q188806, NTFS Alternate Data Stream

    Name of a File May Return Source,

    http://support.microsoft.com/support/kb/articles/q188/8/06.asp

  - Microsoft Knowledge Base article Q105763, HOWTO: Use NTFS Alternate

    Data Streams,

    http://support.microsoft.com/support/kb/articles/q105/7/63.asp



Revisions

=========

July 2, 1998: Bulletin Created

July 6, 1998: Updated information on the availability of hotfix for IIS

              4.0 and Alpha version as well. Added additional information

              on workaround, and more thorough issue description.

July 8, 1998: Updated to include information about localized versions of

              the hotfix. Updated information about products affected.



For additional information on security with Microsoft products, please visit

http://www.microsoft.com/security



===============================================================================

  THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"

  WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER

  EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS

  FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS

  SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,

  INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN

  IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY

  OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF

  LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION

  MAY NOT APPLY.



(c) 1998 Microsoft and/or its suppliers. All rights reserved.

For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.






(C) 1999-2000 All rights reserved.