|
|
|||
Release Date:2009-09-27
Attack Name:Viewcode access
OS Type:Window
Application Type:IIS
Severity:Info
BUG ID:
CVE ID:
| Description:
|
A sample Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 gives remote users access to view any file on the same volume as the web server that is readable by the web server.
IIS 4.0 installs a number of sample ASP scripts including one called 'showcode.asp'. This script allows clients to view the source of other sample scripts via a browser. The 'showcode.asp' script does not perform sufficent checks and allows files outside the sample directory to be requested. In particular, it does not check for '..' in the path of the requested file.
The script takes one parameter, 'source', which is the file to view. The script's default location URL is:
http://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp
Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe.
| Solution:
|
Do not install the sample code on production servers. If you have installed the sample code remove it or install the patches:
Microsoft Site Server 3.0 alpha
Microsoft Site Server 3.0 Service Pack 4 (Alpha)
http://download.microsoft.com/download/siteserver30/SP/sp4/NT45/EN-US/ ss3sp4-alpha.EXE
Microsoft Site Server Commerce Edition 3.0 SP2 i386
Microsoft Site Server 3.0 Service Pack 4 (Alpha)
http://download.microsoft.com/download/siteserver30/SP/sp4/NT45/EN-US/ ss3sp4-alpha.EXE
Microsoft Site Server 3.0 Service Pack 4 (Intel)
http://download.microsoft.com/download/siteserver30/SP/sp4/NT45/EN-US/ ss3sp4-x86.EXE