Bugtraq mailing list archives
Fw: IIS Hotfix Available
From: Dc-comp () IX NETCOM COM (Derrick Bennett)
Date: Fri, 28 Feb 1997 18:23:17 -0800
I received this today and wanted to pass it on to all those with the asp problem. Derrick DC-comp () ix netcom com ----------
From: Microsoft Internet Information Server Team
<msiiseval () microsoft nwnet com>
To: Internet Information Server <iis-eval-info () microsoft nwnet com> Subject: IIS Hotfix Available Date: Friday, February 28, 1997 3:49 PM Dear Microsoft customer: Microsoft recently learned about about a bug that affects all versions of Internet Information Server. We take these issues very seriously, and wanted to share information on the problem, and how to download the patch. The problem affects any script-mapped files that are requested from a virtual directory that has both Read and Execute permissions set, including files with the following extentions: .ASP, .IDQ, .IDC, .PL, etc. Adding one or more extra periods onto the end of the URL will cause the contents of the script to be displayed in the browser instead of executed on the server, allowing end-users to see information that may be confidential, such as server-side script logic. For example, it might be possible for an end-user to see the discount applied to the retail price from a database. For more information on the bug, please refer to: http://www.microsoft.com/iis/iisnews/hotnews/security.htm To download the hotfix, please connect to:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-p
ostsp2/iis-fix. (Note: the hotfix depends on having either Windows NT Server 4.0 Service Pak 1a or Service Pak 2 installed. Please review the readme.lst for more information). Additionally, Microsoft recommends that customers store static pages and dynamic script pages in different virtual directories to ensure highest levels of security. It is further recommended to minimize your
confidential
information in script code. We apologize for the inconvenience this issue may have caused you. Our customers are key to helping keep Internet Information Server the most powerful, secure, high performance server available -- thank you again for your support. Please email any comments or concerns to iiswish () microsoft com. Sincerely, The Microsoft Internet Information Server Team
Current thread:
- Fw: IIS Hotfix Available Derrick Bennett (Feb 28)