DOCUMENT:Q231656
TITLE   :Preventing Viewcode.asp from Viewing Known Server Files
PRODUCT :Microsoft Site Server
PROD/VER:3.0
OPER/SYS:WINDOWS NT

-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Site Server version 3.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

Default installations of Microsoft Site Server include ViewCode.asp, a tool
provided so that users can view files in the sample sites. However, a Web
visitor can also view any file on the server whose Access Control List (ACL)
allows access by Web visitors and whose name the visitor knows or guesses.

Please note, however, that the Web visitor cannot change, delete, or add any
files.

CAUSE
=====

The ViewCode.asp tool does not restrict which files a visitor to a Web site can
view.

WORKAROUND
==========

Remove all copies of ViewCode.asp from the production server, or set the ACLs
for them so that only the appropriate users can use them.

NOTE: Per normal security practices, the ACLs on the server should always be set
to enable Web visitors to view only the files they need anyway, and to deny
access to all others.

RESOLUTION
==========

A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Site Server
service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:

   http://support.microsoft.com/support/supportnet/default.asp

The English version of this fix should have the following file attributes or
later:

   Date      Time        Size    File name              Platform
   -------------------------------------------------------------
   05/06/99  11:56a    29,088    Common_viewcode.asp     (x86)
   07/02/98  12:27p       913    Eula.txt                (x86)
   05/06/99  11:37a    22,636    PubSys_viewcode.asp     (x86)
   01/27/99  11:02a    62,544    Update.exe              (x86)
   05/06/99  01:42p     7,166    Update.inf              (x86)

   05/06/99  11:56a    29,088    Common_viewcode.asp     (alpha)
   07/02/98  12:27p       913    Eula.txt                (alpha)
   05/06/99  11:37a    22,636    PubSys_viewcode.asp     (alpha)
   01/27/99  11:56a    80,144    Update.exe              (alpha)
   05/06/99  01:42p     7,166    Update.inf              (alpha)

This hotfix has been posted to the following Internet location as Viewfixi.exe
(x86):

   ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/
   hotfixes-postsp2/Viewcode-fix/

NOTE: A version for Alpha platforms will be available shortly.

NOTE: If this product was already installed on your computer when you purchased
it from the Original Equipment Manufacturer (OEM) and you need this fix, please
call the Pay Per Incident number listed on the above Web site. If you contact
Microsoft to obtain this fix, and if it is determined that you only require the
fix you requested, no fee will be charged. However, if you request additional
technical support, and if your no-charge technical support period has expired,
or if you are not eligible for standard no-charge technical support, you may be
charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the
following article in the Microsoft Knowledge Base:

   Q154871 Determining If You Are Eligible for No-Charge Technical Support

STATUS
======

Microsoft has confirmed this to be a problem in Site Server 3.0.

MORE INFORMATION
================

Microsoft highly recommends that customers evaluate the degree of risk that this
vulnerability poses to their systems and determine whether to download and
install the fix.

This fix corrects the vulnerability by restricting ViewCode.asp to viewing only
files in the current directory. However, Web site operators who do not have a
need to provide the file viewing capability may choose to remove all copies
ViewCode.asp from the server altogether.

Environment in Which ViewCode.asp May Cause Security Risk
---------------------------------------------------------

The security exposure is limited to the situation in which all of the following
is true:

 - Servers that have the sample sites installed.

 - The sample sites are not protected by ACLs.

 - Sensitive data exists on the same logical drive as ViewCode.asp.

 - Files containing sensitive data allow the "Everyone" user group read or
   greater access in the ACL.

 - Malicious users know the path and filename of files that contain sensitive
   data.

Installing the Fix
------------------

The fix installation program, Update.exe, automatically replaces existing
ViewCode.asp files.

NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in
the six directories listed below. PubSys_viewcode.asp is used to replace the
existing ViewCode.asp in the Publishing sample (\Microsoft Site
Server\SiteServer\Publishing).

Versions and Locations of ViewCode.asp
--------------------------------------

A complete installation of Site Server 3.0 will install various copies of
ViewCode.asp in different directories. Therefore, if you to choose to remove it,
perform a full-disk search to locate all copies.

The following six directories contain the same version of ViewCode.asp:

 - \Microsoft Site Server\Sites\Knowledge\Membership\Inspired
 - \Microsoft Site Server\Sites\Knowledge\Membership\Inspiredtutorial
 - \Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspired
 - \Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspiredtutorial
 - \Microsoft Site Server\Sites\Samples\Knowledge\Push
 - \Microsoft Site Server\Sites\Samples\Knowledge\Search

However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing)
contains a different version of ViewCode.asp that is customized to work
specifically with the Publishing samples, which allows the samples to work as
properly, but prevents a malicious user from gaining access to files outside of
the sample sites.

NOTE: ViewCode.asp should always have the ACL permissions set to Administrators
only, or to a group that is limited to Web content developers.

Code Changes in the Fix
-----------------------

The issue is that ViewCode.asp uses "server.mappath" without any restrictions on
what is passed to this function. Because ViewCode.asp allows a user to enter a
path and filename, a malicious user could gain access to, and read (read-only),
any known file on the same logical disk as ViewCode.asp that is not protected
(no ACLs set for it).

The code added to the InitFileReading function in ViewCode.asp is as follows
(these lines of code may wrap):

   'Limit function to .asp and .vbo files in current and child directories
   If instr(1, strVirtualPath, "..", 1) <> 0 Then
       Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
       fFileError = TRUE
   ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 Then
       Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
       fFileError = TRUE
   ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
       If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/sites/knowledge/membership", 1) = 0 And instr(1, strVirtualPath, "/sites/samples/knowledge", 1) = 0 Then
           Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
           fFileError = TRUE
       End If
   End If

For the Publishing sample sites, a slightly different modification is required
(these lines of code may wrap):

   'Limit function to .asp, .vbo, .inc, .txt, and .prf files in current, cmsample, fpsample, and child directories
   If instr(1, strVirtualPath, "..", 1) <> 0 Then
       Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
       fFileError = TRUE
   ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 And instr(1, strVirtualPath, ".inc", 1) = 0 And instr(1, strVirtualPath, ".txt", 1) = 0 And instr(1, strVirtualPath, ".prf", 1) = 0 Then
       Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
       fFileError = TRUE
   ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
       If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/cmsample", 1) = 0 And instr(1, strVirtualPath, "/fpsample", 1) = 0 Then
           Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
           fFileError = TRUE
       End If
   End If

Purpose of ViewCode.asp & Related MSDN Sample
---------------------------------------------

The purpose of ViewCode.asp is to show the Web content developer the code that
makes the sample sites work. This type of function is also used on the Web
author's workshop on the MSDN site
(http://msdn.microsoft.com/workshop/c-frame.htm#/workshop/author/default.asp).

If you base your content on one of the sample sites, remove the buttons (links)
that load the code into ViewCode.asp to display it.

About Installing Samples & Documentation on Production Servers
--------------------------------------------------------------

Most Site Server users do not install the sample sites on their production
servers, just as they do not install the documentation. They are not typically
needed on the production servers, as they use additional disk space, and because
of the fact that they are just samples, they may not be secure as needed in a
production environment.

If you have a need to include the samples on a production server, however,
consider restricting access to them to your developers only.

Additional References
---------------------

Please see the following reference for more information related to this issue:

 - Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp
   Vulnerability" (The Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms99-013.asp.

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security.

Additional query words: patch hotfix hot fix qfe default setup set up viewcode 
utility hacker breach read see source
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.