*** Microsoft (R) Site Builder Network ***
This is special edition of the SBN Wire is to inform our membership of a recent security issue that pertains to Microsoft Internet Information Servers. Please see the Security Bulletin below for details.
The latest information on this matter can be found on http://www.microsoft.com/security.
The SBN Team
------------------
MICROSOFT SECURITY BULLETIN (MS98-003)
Hotfix available for the Microsoft Internet Information Server file access issue Last revision: July 2, 1998
SUMMARY Recently Paul Ashton reported an issue on the NTBugtraq mailing list (http://www.ntbugtraq.com) that affects Microsoft Internet Information Servers (IIS). Web clients that connect to IIS can read the contents of files to which they have execute and read only permissions. These files have to be in a web server v-root directory and on an NTFS volume.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers.
ISSUE The native Windows NT file system, NTFS, supports multiple data streams within a file. The main data stream, which stores the primary content has an attribute called $DATA. Accessing this NTFS stream via IIS from a browser may display the script code for the file.
The issue is a result of the way IIS parses filenames. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to canonicalize the filename.
For the problem to occur the user must:
1) Know the name of the file 2) The ACLs on the file must allow some access (i.e. read and execute access) 3) The file must reside on an NTFS partition
The user cannot view files on which the ACLs are set to deny all access.
For more information on NTFS Alternate Data Streams please see Microsoft Knowledge Base article Q105763.
AFFECTED SOFTWARE VERSIONS Microsoft Internet Information Server version 3.0 and 4.0
MORE INFORMATION Please see Microsoft Knowledge Base article Q188806 for more information.
WHAT MICROSOFT IS DOING The Microsoft Product Security Response Team has produced a hotfix for Microsoft Internet Information Server version 3.0.
Microsoft is currently testing a hot fix for Internet Information Server version 4.0 which will be posted later today.
WHAT CUSTOMERS SHOULD DO Microsoft strongly recommends that customers using IIS version 3 and 4 should apply the hotfix.
IIS 3.0 (Intel x86) hotfix - ftp://ftp.microsoft.com/bussys/IIS/iis- public/fixes/usa/security/iis3-datafix/iis3fixi.exe
IIS 3.0 (Alpha) hotfix - ftp://ftp.microsoft.com/bussys/IIS/iis-
public/fixes/usa/security/iis3-datafix/iis3fixa.exe
IIS 4.0 hotfix - This will be released later today
More information on obtaining the hotfix can be found in Microsoft Knowledge Base article Q188806
ADMINISTRATIVE WORKAROUND Customers who cannot apply the hot fix can use the following workaround to temporarily address this issue:
Make the following additions to the Application Map in IIS4:
The steps to perform this are: * Open the Microsoft Management Console * Right click on the Virtual Server in question * Select Properties * Select the Home Directory tab * Select Configuration
Now add each of the entries noted below:
.idc::$DATA .stm::$DATA .asp::$DATA .asa::$DATA .shtm::$DATA .shtml::$DATA .pl::$DATA
In addition, the following practices can help to further improve security for your IIS servers: * Periodically review the users and groups who have access to the web server: Review the users and groups and their permissions to ensure that only valid users have the appropriate permissions.
* Use auditing to detect for suspicious activity: Apply auditing controls on sensitive files and review these logs periodically to detect suspicious or unauthorized behavior.
REVISIONS July 2, 1998: Bulletin Created
For additional information on security issues at Microsoft, please visit www.microsoft.com/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see: http://support.microsoft.com/support/misc/cpyright.asp
========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider