IIS MAY EXPOSE ASP CODE
Reported August 24, 1998 by Marco Miltenburg on NTBugTraq

VERSIONS AFFECTED

  • Microsoft Internet Information Server with Active Server Pages

DESCRIPTION

Internet Information Server (IIS) may reveal Active Server Pages (ASP) code in situations where the URL path contains a period in part of the extended URL. For example, a URL such as http://www.somesite.com/new.products/hello.asp would display the code within hello.asp instead of executing it -- apparently the "new.products" portion of the URL causes the problem.

The problem occurs consistantly on FAT partitions, and only happens on NTFS partitions where the Everyone group has read access, or IUSR_MACHINENAME has read access. On NTFS partitions that do not allow read access to Everyone or IUSR_MACHINENAME, the system prompts the user for an ID and password.

SOLUTION

Microsoft"s response is unknown at this time. However, the prudent Web site administrator may easily prevent this problem from occuring by placing all .ASP files in a scripts directory, and disallowing read access to that directory.

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Marco Miltenburg
- Posted on The NT Shop on August 24, 1998