North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Fwd: SBN Wire: Security Bulletin (WAS: Re: Aside: ability to view ASP/ColdFusion code )
> >*** Microsoft (R) Site Builder Network *** > >This is special edition of the SBN Wire is to inform our >membership of a recent security issue that pertains to >Microsoft Internet Information Servers. Please see the >Security Bulletin below for details. > >The latest information on this matter can be found on >http://www.microsoft.com/security. > >The SBN Team > >------------------ > >MICROSOFT SECURITY BULLETIN (MS98-003) > >Hotfix available for the Microsoft Internet Information >Server file access issue >Last revision: July 2, 1998 > >SUMMARY >Recently Paul Ashton reported an issue on the NTBugtraq >mailing list (http://www.ntbugtraq.com) that affects >Microsoft Internet Information Servers (IIS). Web clients >that connect to IIS can read the contents of files to which >they have execute and read only permissions. These files >have to be in a web server v-root directory and on an NTFS >volume. > >The purpose of this bulletin is to inform Microsoft >customers of this issue, its applicability to Microsoft >products, and the availability of countermeasures Microsoft >has developed to further secure its customers. > >ISSUE >The native Windows NT file system, NTFS, supports multiple >data streams within a file. The main data stream, which >stores the primary content has an attribute called $DATA. >Accessing this NTFS stream via IIS from a browser may >display the script code for the file. > >The issue is a result of the way IIS parses filenames. The >fix involves IIS supporting NTFS alternate data streams by >asking Windows NT to canonicalize the filename. > >For the problem to occur the user must: > >1) Know the name of the file >2) The ACLs on the file must allow some access (i.e. read >and execute access) >3) The file must reside on an NTFS partition > >The user cannot view files on which the ACLs are set to >deny all access. > >For more information on NTFS Alternate Data Streams please >see Microsoft Knowledge Base article Q105763. > >AFFECTED SOFTWARE VERSIONS >Microsoft Internet Information Server version 3.0 and 4.0 > >MORE INFORMATION >Please see Microsoft Knowledge Base article Q188806 for >more information. > >WHAT MICROSOFT IS DOING >The Microsoft Product Security Response Team has produced a >hotfix for Microsoft Internet Information Server version >3.0. > >Microsoft is currently testing a hot fix for Internet >Information Server version 4.0 which will be posted later >today. > >WHAT CUSTOMERS SHOULD DO >Microsoft strongly recommends that customers using IIS >version 3 and 4 should apply the hotfix. > >IIS 3.0 (Intel x86) hotfix - >ftp://ftp.microsoft.com/bussys/IIS/iis- >public/fixes/usa/security/iis3-datafix/iis3fixi.exe > >IIS 3.0 (Alpha) hotfix - >ftp://ftp.microsoft.com/bussys/IIS/iis- >public/fixes/usa/security/iis3-datafix/iis3fixa.exe > >IIS 4.0 hotfix - This will be released later today > >More information on obtaining the hotfix can be found in >Microsoft Knowledge Base article Q188806 > >ADMINISTRATIVE WORKAROUND >Customers who cannot apply the hot fix can use the >following workaround to temporarily address this issue: > >Make the following additions to the Application Map in >IIS4: > >The steps to perform this are: >* Open the Microsoft Management Console >* Right click on the Virtual Server in question >* Select Properties >* Select the Home Directory tab >* Select Configuration > >Now add each of the entries noted below: > >.idc::$DATA >.stm::$DATA >.asp::$DATA >.asa::$DATA >.shtm::$DATA >.shtml::$DATA >.pl::$DATA > > >In addition, the following practices can help to further >improve security for your IIS servers: >* Periodically review the users and groups who have access >to the web server: Review the users and groups and their >permissions to ensure that only valid users have the >appropriate permissions. > >* Use auditing to detect for suspicious activity: Apply >auditing controls on sensitive files and review these logs >periodically to detect suspicious or unauthorized behavior. > > >REVISIONS >July 2, 1998: Bulletin Created > >For additional information on security issues at Microsoft, >please visit www.microsoft.com/security > >THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS >PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT >DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, >INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT >CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES >WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, >CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, >EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN >ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO >NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR >CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING >LIMITATION MAY NOT APPLY. > >Copyright 1998 Microsoft and/or its suppliers. All rights >reserved. For Terms of Use see: >http://support.microsoft.com/support/misc/cpyright.asp > ========================================================================== Eric Germann CCTec [email protected] Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
|