COMMAND

    IIS

SYSTEMS AFFECTED

    Microsoft Internet Information Server 4.0, 5.0

PROBLEM

    Following  is  based  on  Microsoft  Security Bulletin (MS00-057).
    This was originally  discovered by Burt  Abreu and Søren  Skov.  A
    canonicalization error  can, under  certain conditions,  cause IIS
    4.0 or  5.0 to  apply incorrect  permissions to  certain types  of
    files.  If an affected file residing in a folder with  restrictive
    permissions  were  requested  via  a  particular type of malformed
    URL, the permissions actually used  would be those of a  folder in
    the file's parentage chain, but  not those of the folder  the file
    actually resides in.   If the ancestor  folder's permissions  were
    more permissive than  those of the  correct folder, the  malicious
    user would gain additional privileges to the affected file.

    The vulnerability is subject to several significant restrictions:

    - It only affects CGI scripts and file types that are  implemented
      via ISAPI  extensions. It  does not  affect static  web page  or
      non-web file types such as .exe, .doc or .bat
    - It only affects servers that expose a web folder structure  that
      mirrors the physical folder structure on the server.
    - It  does not  allow arbitrary  permissions to  be selected, only
      permissions present on an ancestor folder
    - It provides no way to enumerate the server and locate files that
      could be affected by the vulnerability.

SOLUTION

    Patch availability:

        - Microsoft Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667
        - Microsoft Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23665