MCI Telecommunications=20 internetMCI Security Group Report Title: iMCI MIIGS Security Alert=20 Report Name: IIS Server file access vulnerability Report Number: iMCISE:IMCIMS:040598:01:P1R1 Report Date: 04/05/98 Report Format: Formal Report Classification: MCI Informational =20 Report Reference: http://www.security.mci.net Report Distribution: iMCI Security,=20 MCI Internal Internet Gateway Security (MIIGS),=20 MCI Emergency Alert LiSt (MEALS) (names on file) --------------------------------------------------------------------------= =20 Microsoft Security Bulletin (MS98-003) Hotfix available for the Microsoft Internet Information Server file access issue=20 Last Revision: July 2, 1998=20 Summary Recently Paul Ashton reported an issue on the NTBugtraq=20 mailing list (http://www.ntbugtraq.com) that affects=20 Microsoft Internet Information Servers (IIS). Web=20 clients that connect to IIS can read the contents of=20 files to which they have execute and read only permissions. These files have to be in a web server=20 v-root directory and on an NTFS volume.=20 The purpose of this bulletin is to inform Microsoft=20 customers of this issue, its applicability to Microsoft=20 products, and the availability of countermeasures=20 Microsoft has developed to further secure its customers.=20 Issue The native Microsoft=AE Windows NT=AE file system, NTFS,=20 supports multiple data streams within a file. The main=20 data stream, which stores the primary content has an=20 attribute called $DATA. Accessing this NTFS stream via I IS from a browser may display the script code for the file.=20 The issue is a result of the way IIS parses filenames.=20 The fix involves IIS supporting NTFS alternate data streams=20 by asking Windows NT to canonicalize the filename.=20 For the problem to occur the user must:=20 1.Know the name of the file=20 2.The ACLs on the file must allow some access (i.e. read=20 and execute access)=20 3.The file must reside on an NTFS partition=20 The user cannot view files on which the ACLs are set to deny=20 all access.=20 For more information on NTFS Alternate Data Streams please=20 see Microsoft Knowledge Base article Q105763.=20 Affected Software Versions Microsoft Internet Information Server version 3.0 and 4.0=20 More Information Please see Microsoft Knowledge Base article Q188806 for more=20 information.=20 What Microsoft is Doing The Microsoft Product Security Response Team has produced a=20 hotfix for Microsoft Internet Information Server version 3.0.=20 Microsoft is currently testing a hot fix for Internet Information=20 Server version 4.0 which will be posted later today.=20 What customers should do Microsoft strongly recommends that customers using IIS version 3=20 and 4 should apply the hotfix.=20 IIS 3.0 (Intel x86) hotfix -=20 ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-datafi x/iis3fixi.exe=20 IIS 3.0 (Alpha) hotfix -=20 ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-datafi x/iis3fixa.exe=20 IIS 4.0 (Intel x86) hotfix -=20 ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-datafi x/iis4fixi.exe=20 IIS 4.0 (Alpha) hotfix -=20 This hotfix will be available on or before July 7, 1998=20 More information on obtaining the hotfix can be found in=20 Microsoft Knowledge Base article Q188806=20 Administrative workaround Customers who cannot apply the hot fix can use the=20 following workaround to temporarily address this issue:=20 Make the following additions to the Application Map in IIS4:=20 The steps to perform this are:=20 Open the Microsoft Management Console=20 Right click on the Virtual Server in question=20 Select Properties=20 Select the Home Directory tab=20 Select Configuration=20 Now add each of the entries noted below:=20 .idc::$DATA .stm::$DATA .asp::$DATA .asa::$DATA .shtm::$DATA .shtml::$DATA .pl::$DATA=20 In addition, the following practices can help to further=20 improve security for your IIS servers:=20 Periodically review the users and groups who have access=20 to the web server: Review the users and groups and their=20 permissions to ensure that only valid users have the=20 appropriate permissions.=20 =20 Use auditing to detect for suspicious activity: Apply=20 auditing controls on sensitive files and review these=20 logs periodically to detect suspicious or unauthorized=20 behavior.=20 Revisions July 2, 1998: Bulletin Created=20 For additional information on security issues at Microsoft,=20 please visit www.microsoft.com/security=20 THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS=20 PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS=20 ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO=20 EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR=20 ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN=20 IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE=20 POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION=20 OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES=20 SO THE FOREGOING LIMITATION MAY NOT APPLY.=20 =20 =A9 1998 Microsoft and/or its suppliers. All rights reserved.=20 =20