Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) Web Server Discloses ASP Source Code When Installed on FAT-based Filesystem
SecurityTracker Alert ID:  1001818
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 22 2001
Impact:   Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Windows NT4 + IIS4 + sp3 (on FAT), Windows 2000 Server (on FAT), Windows 2000 Server + sp2 (on FAT)
Description:   VIGILANTe reported a vulnerability with Microsoft's IIS web server when installed on a FAT filesystem that allows a remote user to obtain Active Server Pages (ASP) source code from the server.

IIS reportedly determines if a file is an ASP script or not by the .asp extension. If a remote user prepares an HTTP request using Unicode encoding, the asp extension may not be recognized by IIS on FAT filesystems and the ASP code will be returned as source code rather than executed.

The vendor notes that FAT (as opposed to NTFS) does not provide any file security mechanisms and is not appropriate for use as a production web server.

IIS on systems using NTFS volumes is not affected.

Impact:   A remote user can obtain ASP source code from the web server.
Solution:   No vendor solution was available at the time of this entry. The report recommends as a workaround to convert the file system to NTFS and to consider removing reading access right for the IUSR_<hostname> from ASP scripts (only giving IUSR_<hostname> execute rights).
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  [VIGILANTE-2001001] ASP source code retrieved with Unicode extens

Hash: SHA1

        ASP source code retrieved with Unicode extension
Advisory Code:
Release Date:

System affected:
        Windows NT4 + IIS4 + sp3 (on FAT)
        Windows 2000 Server (on FAT)
        Windows 2000 Server + sp2 (on FAT)
Systems not affected:
        Windows NT4 + IIS4 + sp3 (on NTFS)
        Windows 2000 Server (on NTFS)
        Windows 2000 Server + sp2 (on NTFS)

The problem:
        Active Server Pages (ASP) are web scripts that are executed on
        the Internet Information Server (IIS) and the result is send to
        the user. IIS determines if a file is an ASP script or not by
        the .asp extension. 
        With Unicode there are many ways the asp extension can be
        encoded. On FAT file systems some of them will not be
        recognized as an ASP script by IIS and executed on the server
        but instead IIS will disclouse the source code of the script.

Vendor status:
        Microsoft contacted 2001-05-28 and responded the same day:
        "The Microsoft Security Response Center has investigated the
        report, but we note that the problem as reported would only
        affect an IIS server that has been configured to use a FAT
        volume.  However, by design, FAT doesn't provide a security
        mechanism, and it's never an appropriate file system to use on
        a production web server.  Instead, as discussed in Microsoft's
        best practices guides and security checklists
        production servers should always use NTFS volumes. The reported
        problem does not affect systems using NTFS".

Vulnerability Assessment:
        A test-case to detect this vulnerability was added to
        SecureScan NX on June 22, 2001

        As a workaround convert the file system to NTFS. And consider
        removing reading access right for the IUSR_<hostname> from ASP
        scripts (only giving IUSR_<hostname> execute rights)
        In general follow Microsoft's Security Best Practices:

        Internet Information Server 4.0 Security Checklist:

        or Secure Internet Information Services 5 Checklist:

Copyright, Inc. 2001-06-22

        The information within this document may change without notice.
        Use of this information constitutes acceptance for use in an AS
        IS condition. There are NO warranties with regard to this
        information. In no event shall the author be liable for any
        consequences whatsoever arising out of or in connection with
        the use or spread of this information. Any use of this
        information lays within the user's responsibility. 

        Please send suggestions, updates, and comments to 

VIGILANTe Vulnerability Disclosure Policy:

Version: PGP 7.0.1



The information transmitted is intended only for the person or entity to
which it is  addressed and may contain confidential and/or privileged
material.  Any review,  retransmission, dissemination or other use of, or
taking of any action in reliance upon,  this information by persons or
entities other than the intended recipient is prohibited.

Any opinions expressed in this email are those of the individual and not
necessarily the Company.

If  you receive this transmission in error, please email to, including a copy of this message. Please then
delete this email and destroy any copies of it.

>>>>>>>>>>>>>>>>>>>>>>>>>> DISCLAIMER END <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC