IIS, Site Server vulnerable to hackers

A security problem involving Microsoft Corp.'s Internet Information Server (IIS) and Site Server products leaves data and files stored on those products vulnerable to hackers, according to WebTrends Corp., an Internet reporting and management vendor.

Three sample Active Server Pages (ASP) tools which ship as part of IIS and Site Server are the culprits, according to Microsoft and WebTrends. The default configurations of IIS and Site Server install the showcode.asp, viewcode.asp and codebrws.asp pages without proper access-control settings. Any remote browser user who has read permissions and knowledge of file names on a given system can get at data and files on a given system via the ASP tools.

WebTrends officials say they first alerted Microsoft to the problem two weeks ago. Friday, security experts at the L0pht also issued an advisory on the problem. "For e-commerce servers this puts transaction logs, credit card numbers and customer information potentially at risk. There is even e-commerce shopping cart software that stores administrative passwords in the clear in text files," the L0pht advisory said.

Microsoft is slated to issue a security bulletin confirming the problem later today. Microsoft is working on a downloadable fix and also is working on patched versions of three Active Server Pages tools in question. The patched tools should be available from the Microsoft Security site next week. "We take all security issues very seriously at Microsoft," says Scott Culp, Windows NT security product manager. Culp says it took Microsoft two weeks from first being alerted about the breach to create comprehensive patches and a strategy that would "deliver a very complete answer" to the problem. Culp says Microsoft will recommend users who don't need the tools in question remove them from their systems. They also should insure that their systems are set so that "least privilege" security settings are in place on individuals' machines.

Culp stressed that "there is no underlying vulnerability in Site Server, IIS, ASP or Windows NT" at fault. "It's just about the file viewing tools and default settings. These tools are read-only. They won't let anyone change or hack any data on a system."

WebTrends officials characterised the problem as more serious. "It's not an intrinsic problem with Microsoft's products at fault," agreed Rob Finlay, WebTrends product manager. "But you can not only view the files and content of the files via the [ASP] tools, but can also navigate through the directories within the partitions. Hackers can use all of this information to drill even deeper into the system. Hackers just need a Web browser to find these ASP pages and use them."

WebTrends, like Microsoft, recommends users simply remove the sample ASPs if they don't need them and set their permissions more restrictively on all users' systems. Portland-based WebTrends also has deployed new vulnerability tests for the ASP tools in question, allowing users of its WebTrends Security Analyser product to check for and fix systems with the offending security holes.