Vulnerability

    IIS

Affected

    IIS 4 with FAT FS

Description

    Following  is  based  on  a  VIGILANTE-2001001  Advisory  by  Hack
    Kampbjorn.   Active Server  Pages (ASP)  are web  scripts that are
    executed on the Internet  Information Server (IIS) and  the result
    is send to the user.  IIS determines if a file is an ASP script or
    not by the .asp extension.   With Unicode there are many ways  the
    asp extension can be  encoded.  On FAT  file systems some of  them
    will not be recognized as an ASP script by IIS and executed on the
    server  but  instead  IIS  will  disclouse  the source code of the
    script.

Solution

    The  Microsoft  Security  Response  Center  has  investigated  the
    report, but  they note  that the  problem as  reported would  only
    affect  an  IIS  server  that  has  been  configured  to use a FAT
    volume.   However,  by  design,  FAT  doesn't  provide  a security
    mechanism, and  it's never  an appropriate  file system  to use on
    a production  web server.   Instead, as  discussed in  Microsoft's
    best practices guides  and security checklists  production servers
    should always  use NTFS  volumes.   The reported  problem does not
    affect systems using NTFS.

    As a  workaround convert  the file  system to  NTFS. And  consider
    removing reading  access right  for the  IUSR_<hostname> from  ASP
    scripts (only giving IUSR_<hostname> execute rights)