File Access Issue with Internet Information Server

Web clients that connect to Windows NT IIS can read the contents of any Windows NT Server's NT File System (NTFS) file in an IIS v-root directory to which they have been granted "read access".

Issue

NTFS supports multiple data streams within a file. The main data stream, which stores the primary content, has an attribute called $DATA. Accessing this NTFS stream through IIS from a browser may display the contents of a file that is normally set to be acted upon by an Application Mapping. For example, .asp files are mapped so that they are executed by an ASP page scripting agent on the server, rather than simply having the contents of a file returned, as is done with standard .htm files. Normally, direct contents of the these script-mapped files should not be returned to the user. However, by requesting the file using the its complete data stream name, a Web browser could obtain the contents of the script file. In some cases, the file might contain sensitive information such as embedded passwords or other sensitive "business logic" information. This issue does not give the user who could access the script file the ability to alter the script on the server, or force the server to run arbitrary code. The only users exposure is to the plain text of the script file. The issue is a result of the way IIS parses file names. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to make the file name canonical. For the problem to occur:

• The user must know the name of the file
• The ACLs on the file must allow the user read access
• The file must reside on an NTFS partition

Affected Products

• Microsoft IIS 1.0, 2.0, 3.0, and 4.0, Peer Web Server 2.0, 3.0, Personal Web Server 4.0 on NT 4.0 Workstation

Solution

Microsoft strongly recommends that customers using IIS versions 3.0 and 4.0 should apply the hot fix. Customers running earlier versions of Windows NT Server's IIS should upgrade to a more recent version (3.0 or 4.0). The following hot fixes are available from the Microsoft FTP download server under ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/

• IIS 3.0 (Intel x86) hot fix, /iis3-datafix/iis3fixi.exe
• IIS 3.0 (Alpha) hot fix, /iis3-datafix/iis3fixa.exe
• IIS 4.0 (Intel x86) hot fix, /iis4-datafix/iis4fixi.exe
• IIS 4.0 (Alpha) hot fix, /iis4-datafix/iis4fixa.exe

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 8, 1998

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<