The custom error page 500-100.asp may return sensitive information in Internet Information Services 5.0 and in Internet Information Services 5.1 (906910)


The information in this article applies to:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1

SYMPTOMS

In certain scenarios, the Microsoft Internet Information Services (IIS) custom error page 500-100.asp may return sensitive information back to a browser. This problem may occur only in Microsoft Internet Information Services 5.0 and in Microsoft Internet Information Services 5.1. Microsoft Internet Information Services 6.0 is not affected.

By sending a specially crafted request, you can bypass a verification step in the custom error page 500-100.asp. This page is only executed if an Active Server Pages (ASP) page that is present on the server that is running IIS contains a script error. The verification step makes sure that a detailed error message about this script error is only returned to the browser if the request is made from the Web server computer itself. In certain scenarios, this detailed error message may contain sensitive information about the configuration of the server that is running IIS.

RESOLUTION

To resolve this problem, use one of the following methods:
  • Remove the All Unassigned binding for each of your sites, and specify the host name that your site requires.
  • Update the 500-100.asp page. The 500-100.asp page is located under %windir%/iishelp/common. To update the 500-100.asp page, locate the following line of code. 
    If (strServername = "localhost" Or strServerIP = strRemoteIP) And objASPError.File <> "?" Then
    Change this line of code to the following line of code. 
    If (strServerIP = strRemoteIp) And objASPError.File <> "?" Then
    This update is the same for IIS 5.0 and for IIS 5.1.
Modification Type:MajorLast Reviewed:8/29/2005
Keywords:kbprb KB906910 kbAudITPRO kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.