Solution Available for File Viewers Vulnerability (231368)

SYMPTOMS

Microsoft has identified a vulnerability that occurs in some file viewers that are included with Microsoft Site Server and Internet Information Server.

The vulnerability could allow a Web site visitor to view, but not to change, files on the server, provided that the visitor knows or guesses the name of each file and has access rights to the file based on the Windows NT Access Control Lists (ACLs).

RESOLUTION

Site Server 3.0

To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

219292 How to Obtain the Latest Site Server 3.0 Service Pack

This problem was first corrected in Site Server 3.0 Service Pack 3.

IIS 4.0

A fix has been developed for IIS 4.0, and has been posted to the following Internet location as Fix2450I.exe (Intel) or Fix2450A.exe (Alpha):

ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/

Please see the following article in the Microsoft Knowledge Base for more information about this fix:

232449 Sample ASP Code May be Used to View Unsecured Server Files

WORKAROUND

To eliminate the vulnerability on your Web server that can be caused by these file viewers, you should:

Remove the affected file viewers, unless they are specifically required on the Web site. The following file viewers are affected: ViewCode.asp, ShowCode.asp, Code.asp, CodeBrws.asp, and Winmsdp.exe. Depending on the specific installation, not all of these files may be present on a server. There may be multiple copies of some files, so you should perform a full search of your servers to locate all copies.
In accordance with standard security guidelines, file permissions should always be set to enable Web visitors to gain access to only the files they need, and no others. Files that are needed by Web visitors should provide the least privilege needed. For example, files that Web visitors need to be able to read but not write should be set to read-only.
As a general rule, sample files and virtual roots (vroots) should always be deleted from a Web server before you put it into production. If sample files and vroots are needed, file access permissions should be used to regulate access to them as appropriate

MORE INFORMATION

Microsoft Site Server and Internet Information Server (IIS) include tools that allow Web site visitors to view selected files on the server. These tools are installed by default in Site Server, but must be explicitly installed in IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production Web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a Web site visitor can view.

Note the following important points:

These file viewers are not installed by default in IIS. They are installed in IIS only if you choose to install the sample Web files.
This vulnerability allows a Web site visitor only to view files. There is no capability to change files or add files to the server.
This vulnerability does not in any way bypass the Windows NT file permission ACLs. A Web site visitor can use these tools to view only files whose ACLs allows them read access. The administrator of the Web server determines the specific permissions for all files on the server.
The viewers can only be used to view files on the same partition as the currently displayed Web page. Databases, such as those used by e-commerce servers, are typically stored on a different physical drive, and would not be at risk.
The Web site visitor needs to know or guess the name of each file they want to view.

Additional References

Microsoft Security Bulletin MS99-013, "Solution Available for File Viewers Vulnerability"
http://www.microsoft.com/technet/security/Bulletin/MS99-013.mspx