Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Fw: IIS Hotfix Available

From: Dc-comp () IX NETCOM COM (Derrick Bennett)
Date: Fri, 28 Feb 1997 18:23:17 -0800

I received this today and wanted to pass it on to all those with the
asp problem.

Derrick
DC-comp () ix netcom com

----------

From: Microsoft Internet Information Server Team

<msiiseval () microsoft nwnet com>

To: Internet Information Server <iis-eval-info () microsoft nwnet com>
Subject: IIS Hotfix Available
Date: Friday, February 28, 1997 3:49 PM

Dear Microsoft customer:

Microsoft recently learned about about a bug that affects all versions
of Internet Information Server. We take these issues very seriously,
and wanted to share information on the problem, and how to download
the patch.

The problem affects any script-mapped files that are requested from a
virtual directory that has both Read and Execute permissions set,
including files with the following extentions: .ASP, .IDQ, .IDC, .PL,
etc.  Adding one or more extra periods onto the end of the URL will
cause the contents of the script to be displayed in the browser
instead of executed on the server, allowing end-users to see
information that may be confidential, such as server-side script
logic. For example, it might be possible for an end-user to see the
discount applied to the retail price from a database.  For more
information on the bug, please refer to:
http://www.microsoft.com/iis/iisnews/hotnews/security.htm

To download the hotfix, please connect to:


ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-p

ostsp2/iis-fix. (Note: the hotfix depends on having either Windows NT
Server 4.0 Service Pak 1a or Service Pak 2 installed. Please review
the readme.lst for more information).

Additionally, Microsoft recommends that customers store static pages and
dynamic script pages in different virtual directories to ensure highest
levels of security. It is further recommended to minimize your

confidential

information in script code.

We apologize for the inconvenience this issue may have caused you. Our
customers are key to helping keep Internet Information Server the most
powerful, secure, high performance server available -- thank you again
for your support. Please email any comments or concerns to
iiswish () microsoft com.

Sincerely,
The Microsoft Internet Information Server Team
Previous By Date Next
Previous By Thread Next

Current thread: