Reported January 29, 2001, by Microsoft.

VERSIONS AFFECTED

  • Internet Information Server 4.0

  • Internet Information Server 5.0 

DESCRIPTION

Microsoft has issued a patch for a new variation of the “File Fragment Reading via .HTR” vulnerability. A malicious user can use this vulnerability to read .asp files.

VENDOR RESPONSE

Microsoft has released a security bulletin, MS01-004. Microsoft recommends that users disable .htr functionality and not store sensitive information on a Web server.

CREDIT
Discovered by Microsoft.