File Viewers Vulnerability

A vulnerability exists that occurs in some file viewers included in Microsoft® Internet Information Server and Site Server that could allow a web site visitor to view, but not to change, files on the server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs.

Issue

Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view.

Affected Products

• Microsoft Site Server 3.0 and Internet Information Server 4.0

Solution

A patch can be found at:

• Internet Information Server: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
• Site Server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: May 19, 1999

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<