Code Exposed by UNC Mappings and Virtual Paths Under IIS
Reported March 30, 2000 by Microsoft
- Microsoft Internet Information Server 4.0 and 5.0
- Microsoft Proxy Server 2.0
- Microsoft Site Server and Site Server, Commerce Edition 3.0
- Microsoft Commercial Internet System 2.0 and 2.5
According to Microsoft"s report on the matter, "If a virtual directory on an IIS server is mapped to a UNC share, and a request for a file in the directory contains one of several particular characters at the end, the expected ISAPI extension processing may not occur. The result is that the source code of the file would be sent to the browser.
There are significant restrictions that would increase the difficulty of exploiting this vulnerability:
- By design, virtual directories hide the actual location of files. Under most circumstances, there would be no way for an attacker to determine which files on a server actually reside on a UNC share.
- Many browsers will “correct” requests that contain the trailing characters at issue here, by either removing the characters or changing them.
- If recommended security practices are followed, .ASP and other files that require server-side processing will not contain any sensitive information to compromise. "
Microsoft has issued a patch for IIS 4 on Intel and IIS 4 on Alpha, as well as a patch for IIS 5 on Intel. Microsoft also issued a FAQ and Support Online article Q249599.
NOTE: Proxy Server, Site Server, Site Server Commerce Edition and Microsoft Commercial Internet System run atop IIS. Customers using these products should apply the patch appropriate for the version of IIS they are running.
Reported by Microsoft