Microsoft has identified a vulnerability that occurs in some file viewers that are included with Microsoft Site Server and Internet Information Server.
The vulnerability could allow a Web site visitor to view, but not to change, files on the server, provided that the visitor knows or guesses the name of each file and has access rights to the file based on the Windows NT Access Control Lists (ACLs).
The file viewer tools do not restrict which files a user can view.
Site Server 3.0
To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
How to Obtain the Latest Site Server 3.0 Service Pack
This problem was first corrected in Site Server 3.0 Service Pack 3.
A fix has been developed for IIS 4.0, and has been posted to the following Internet location as Fix2450I.exe (Intel) or Fix2450A.exe (Alpha):
To eliminate the vulnerability on your Web server that can be caused by these file viewers, you should:
- Remove the affected file viewers, unless they are specifically required on the
Web site. The following file viewers are
affected: ViewCode.asp, ShowCode.asp, Code.asp, CodeBrws.asp, and Winmsdp.exe.
Depending on the specific installation, not all of these files may
be present on a server. There may be multiple copies of
some files, so you should perform a full search of your servers
to locate all copies.
- In accordance with standard security guidelines, file permissions
should always be set to enable Web visitors to gain access to only the files
they need, and no others. Files that are needed by Web
visitors should provide the least privilege needed. For example,
files that Web visitors need to be able to read but not write should
be set to read-only.
- As a general rule, sample files and virtual roots (vroots) should always be deleted
from a Web server before you put it into production. If sample files and vroots are needed, file access permissions should be used to regulate access to
them as appropriate
Microsoft Site Server and Internet Information Server (IIS) include tools that allow Web site visitors to view selected files on the server. These tools are installed by default in Site Server, but must be explicitly installed in IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production Web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a Web site visitor can view.
Note the following important points:
- These file viewers are not installed by default in IIS.
They are installed in IIS only if you choose to install
the sample Web files.
- This vulnerability allows a Web site visitor only to view files.
There is no capability to change files or add files to the server.
- This vulnerability does not in any way bypass the Windows NT file
permission ACLs. A Web site visitor can use these tools to
view only files whose ACLs allows them read access. The administrator of
the Web server determines the specific permissions for all files on
- The viewers can only be used to view files on the same partition
as the currently displayed Web page. Databases, such as those used by
e-commerce servers, are typically stored on a different physical drive,
and would not be at risk.
- The Web site visitor needs to know or guess the name of each file they want to view.