COMMAND
IIS
SYSTEMS AFFECTED
IIS 4.0, 5.0
PROBLEM
Daniel Doekal found following. Following relates to many of us,
because ignorancy of some webmasters running IIS (Internet
Information Server) 4.0/5.0 is somehow exceeding acceptable level.
During informal test done by his security team he has found that
MOST of IIS4/5 webs are vulnerable to NULL.HTW, +.HTR or
Translate:f security bugs - because of this, anybody can access
source code of scripts, grab passwords/names or locations to
Access MDB files. In dozens of cases Daniel was able to download
megabytes of databases containing anything from thousands of
e-mail adresses up to logon names with passwords (and as well
known, people are using the same password all over the Internet).
He has notified webmasters having such buggy webs, but
surprisingly, some of responses were lacking understanding and
their webs are open even weeks after he has discovered this.
If you are in need to test your site for these bugs, please feel
free to use
http://security.namodro.cz/urlcheck.asp?lang=en
SOLUTION
The "Translate" vulnerability to ASP source pages which Daniel's
page tests for can be patched by applying W2K SP1. MS have now
released the Hotfix (for those not deploying 76+MB W2K SP1) which
addresses the "Translate" issue:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769
Shawn Hall pointed out that the fix was also included in the 9+MB
Exchange Server 2000 RC2 Rollup fix (beta) from June:
http://download.microsoft.com/download/win2000srv/Patch/Q262259/NT5/EN-US/Q262259_W2K_SP1_X86_EN.EXE
There had been a KB article in the MS Knowledgebase about this
issue since May/June, but it was subsequently pulled. MS had not
issued a Security Bulletin on the issue, but will be doing so
shortly. As a result this vulnerability may be widely known and
widely exploited.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
