DOCUMENT:Q232449 TITLE :Sample ASP Code May be Used to View Unsecured Server Files PRODUCT :IIS PROD/VER:4.0 OPER/SYS:WINDOWS NT KEYWORD :prodiis4 ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When you install the following Active Server Page (ASP) sample files on a computer running Internet Information Server (IIS) 4.0, a Web visitor may be able to use these files to gain access to and read any known file on the same logical disk as the installed ASP code, which is not protected by setting the system Access Control Lists (ACLs) for these files: - \Iissamples\Exair\Howitworks\Code.asp - \Iissamples\Exair\Howitworks\Codebrws.asp - \Iissamples\Sdk\Asp\Docs\Codebrws.asp - \\System\Msadc\Samples\Selector\Showcode.asp Please note, however, that the Web visitor cannot change, delete, or add any files. CAUSE ===== The installed ASP code was never intended for anything other than demonstration purposes and does not restrict which files a visitor to a Web site can view. WORKAROUND ========== Remove all copies of Showcode.asp, Code.asp, and CodeBrws.asp from the production server, or set the ACLs for each of these files so that only the appropriate users have access. NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need, and to deny access to all others. RESOLUTION ========== A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/support/supportnet/default.asp The English version of this fix should have the following file attributes or later: Date Time Size File name Platform ------------------------------------------------------------------------- 5/17/99 1:17PM 3Kb Code.asp 5/17/99 1:17PM 8Kb Codebrw1.asp 5/17/99 1:17PM 8Kb Codebrw2.asp 5/17/99 1:17PM 6Kb Showcode.asp 5/17/99 1:17PM 3Kb Code.asp 5/17/99 1:17PM 8Kb Codebrw1.asp 5/17/99 1:17PM 8Kb CodeBrw2.asp 5/17/99 1:17PM 6Kb Showcode.asp This hotfix has been posted to the following Internet location as Fix2450I.exe (Intel) or Fix2450A.exe (Alpha): ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/ NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee. For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base: Q154871 Determining If You Are Eligible for No-Charge Technical Support STATUS ====== Microsoft has confirmed this to be a problem in Internet Information Server 4.0. MORE INFORMATION ================ Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix. This fix corrects the vulnerability by restricting Showcode.asp, Code.asp, and CodeBrws.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies OF Showcode.asp, Code.asp, and CodeBrws.asp from the server altogether. Environment in Which These ASP Files May Cause Security Risk ------------------------------------------------------------ Security exposure is limited to the situation in which all of the following conditions are true: - Servers have the sample sites installed. - The sample sites are not protected by ACLs (Access Control Lists). - Sensitive data exists on the same logical drive as Showcode.asp, Code.asp, and CodeBrws.asp. - Files containing sensitive data allow the "Everyone" user group read or greater access in the ACL. - Malicious users know the path and file name of files that contain sensitive data. Installing the Fix ------------------ The fix installation program (Fix2450I.exe [Intel] and Fix2450A.exe [Alpha]) automatically replaces existing Showcode.asp, Code.asp, and CodeBrws.asp files. NOTE: The default installation directories listed below the fix installation package will attempt to locate the files as they were installed onto the effected system. After you install the fix, you should perform a complete disk search for these files to verify that all instances of these files have been replaced. If your IIS 4.0 installation was installed into a different directory than the default directory, then you must verify that the effected files have been removed and replaced by performing a full disk search for these files. - \Iissamples\Exair\Howitworks\Code.asp - \Iissamples\Exair\Howitworks\Codebrws.asp - \Iissamples\Sdk\Asp\docs\Codebrws.asp - \\System\Msadc\Samples\Selector\Showcode.asp A complete installation of the sample code for Internet Information Server 4.0 and the Internet SDK will install various copies of Showcode.asp, Code.asp, and CodeBrws.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies. To manually extract the modified ASP files from the distribution fix, do the following: 1. Copy the distribution file (Fix2450I or Fix2450A as appropriate) to a temporary location. 2. Open a command prompt and change to that directory. 3. On the command line type "Fix2450I.EXE /T:c:\temp /C" or "Fix2450A.EXE /T:c:\temp /C" as appropriate. This command will extract the files to the location of c:\temp. 4. Various installation files will be extracted, but the effected files are as follows: - Code.asp - CODEBRW1.ASP (this file is installed in the \iissamples\ExAir\HowItWorks directory) - CODEBRW2.ASP (this file is installed in the \Iissamples\Sdk\asp\Docs\ directory) - Showcode.asp NOTE: Showcode.asp, Code.asp, and CodeBrws.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers. Code Changes in the Fix ----------------------- Showcode.asp, Code.asp, and CodeBrws.asp files use "server.mappath" without any restrictions on what is passed to this function. Because Showcode.asp, Code.asp, and CodeBrws.asp allow a user to enter a path and filename, a malicious user could gain access to and read (read-only) any known file on the same logical disk as Showcode.asp, Code.asp, and CodeBrws.asp, which are not protected (no ACLs set). The code added to Code.asp is as follows: (Note: These lines of code may wrap): The following code was removed from Code.asp: (Note: These lines of code may wrap): < ' Function to determine if a file exists Function FileExists(Source) On Error Resume Next strFilename = Server.MapPath(Source) Set FileObject = Server.CreateObject("Scripting.FileSystemObject") FileExists = False ' Attempt to open the file Set oTempStream = FileObject.OpenTextFile(strFilename, 1, FALSE, TRUE ) If Err = 0 Then FileExists = True End Function %> The following code was added to ShowCode.asp (Note: These lines of code may wrap): REM *************** NOTICE **************** REM * This file may only be used to view * REM * source code of .asp files in the * REM * AdvWorks or ASP Sample directory. * REM * If you wish to change the security * REM * on this, modify or remove this * REM * function. * REM *************************************** REM ************************************** REM intended behavior: REM allow access to only .asp, .htm, .html, .inc files REM in some directory starting from /Msdac REM and without .. in the path REM ************************************** FUNCTION fValidPath (ByVal strPath) If InStr(1, strPath, "/Msadc/", 1) Then ' the beginning of the string looks good Dim dwLen Dim SomeKnownExtension SomeKnownExtension = false dwLen = Len(strPath) If Not SomeKnownExtension Then If InStr(dwLen-5,strPath,".html",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".htm",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".asp",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".inc",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then fValidPath = 0 Exit Function End If ' now the most importan part: look for .. If InStr(1,strPath,"..",1) Then fValidPath = 0 Else fValidPath = 1 End If Else fValidPath = 0 End If END FUNCTION The following code was added to CodeBrws.asp: (Note: These lines of code may wrap): REM ************************************** REM intended behavior: REM allow access to only .asp, .htm, .html, .inc files REM in some directory starting from /IISSAMPLES REM and without .. in the path REM ************************************** FUNCTION fValidPath (ByVal strPath) If InStr(1, strPath, "/iissamples/", 1) Then ' the beginning of the string looks good Dim dwLen Dim SomeKnownExtension SomeKnownExtension = false dwLen = Len(strPath) If Not SomeKnownExtension Then If InStr(dwLen-5,strPath,".html",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".htm",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".asp",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then If InStr(dwLen-4,strPath,".inc",1) Then SomeKnownExtension = true End If End If If Not SomeKnownExtension Then fValidPath = 0 Exit Function End If ' now the most importan part: look for .. If InStr(1,strPath,"..",1) Then fValidPath = 0 Else fValidPath = 1 End If Else fValidPath = 0 End If END FUNCTION Purpose of Showcode.asp, Code.asp, and CodeBrws.asp, and Related MSDN Samples ----------------------------------------------------------------------------- The purpose of Showcode.asp, Code.asp, and CodeBrws.asp. is to show the Web content developer the code that makes the sample sites work. This type of function is also used on the Web author's workshop on the MSDN site (http://msdn.microsoft.com/workshop/c-frame.htm#/workshop/author/default.asp). If you base your content on one of the sample sites, remove the buttons (links) that load the code into Showcode.asp, Code.asp, and CodeBrws.asp to display it. Installing Samples and Documentation on Production Servers ---------------------------------------------------------- Most Internet Information Server 4.0 users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space. Because they are just samples, they may not be secure in a production environment. If you have a need to include the samples on a production server, consider restricting access to your developers only. Additional References --------------------- For more information related to this issue, please see the following: Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp Vulnerability" (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp For additional security-related information about Microsoft products, please visit: http://www.microsoft.com/security Additional query words: patch hotfix hot fix qfe default setup set up viewcode utility hacker breach read see source ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.