Another Security Hole In Microsoft Iis Web Server

Computergram International, July 6, 1998

Another problem with web server security has been identified and patched. Adding '::$DATA' to certain URLs hosted on Microsoft's Internet Information Server makes browsers download the source code to scripts. That source may contain userIDs and passwords. However, the vulnerability may not be as severe as some observers first feared, and Microsoft has been quick to issue a hot fix.

This latest hole in IIS security was reported by Paul Ashton, a UK consultant and co-moderator of the NTBugTraq mailing list. "It is left as an exercise for the reader to think of further implications in other programs running on NT," Ashton concluded drily. Dave Winer, CEO of Userland Software and webmaster of Scripting.com, claims the flaw lets hackers into frequent flier mileage databases and credit card records. "If I operated a Windows-based web server with script code of any kind, I'd shut it down while I did a complete site audit," he writes. But Russ Cooper, co-moderator with Paul Ashton of NTBugTraq, isn't so sure. "Dave's giddy with information," he says. "What you can get access to is the username and password - maybe." That information could let hackers breach a database, assuming the sitemaster hadn't already restricted access to certain trusted machines. If that has been done, the hackers would still have to compromise those machines before they could get in. Cooper suggests that the more damaging consequence of the bug is the most obvious one. "All that hard work you did in coming up with your dream web application is now completely up for grabs," he says, "if any old person can get a look at your source." Cooper points out that webmasters running IIS can secure their sites immediately by disabling read access to all directories containing executable content. "Of course they'll then have to go back and enable read for files that are not executable, otherwise the gifs [image files] won't download," he warns. For a software patch, visit Microsoft at http://www.microsoft.com/security/bulletins/ms98-003.htm or Softwing at http://www.softwing.com/iisdev/ddatafix/.