IIS MAY EXPOSE ASP CODE
Internet Information Server (IIS) may reveal Active Server Pages (ASP) code in situations where the URL path contains a period in part of the extended URL. For example, a URL such as http://www.somesite.com/new.products/hello.asp would display the code within hello.asp instead of executing it -- apparently the "new.products" portion of the URL causes the problem.
The problem occurs consistantly on FAT partitions, and only happens on NTFS partitions where the Everyone group has read access, or IUSR_MACHINENAME has read access. On NTFS partitions that do not allow read access to Everyone or IUSR_MACHINENAME, the system prompts the user for an ID and password.
Microsoft"s response is unknown at this time. However, the prudent Web site administrator may easily prevent this problem from occuring by placing all .ASP files in a scripts directory, and disallowing read access to that directory.
To learn more about NT Security concerns, subscribe to NTSDCredits
- Originally reported by Marco Miltenburg
- Posted on The NT Shop on August 24, 1998