What's this bulletin about?
Microsoft Security Bulletin MS00-058 announces the availability of a patch that eliminates a vulnerability in Internet Information Server that ships with Microsoft® Windows 2000. Under certain conditions, the vulnerability could cause a web server to send the source code of a web file to a visiting user. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could cause the source code of certain types of files to be sent from a web server to a visiting user's browser. It would not enable a malicious user to change the files on a server or take any other administrative action on it.
It is important to note that if normal security recommendations regarding .ASP files have been followed, there would be no sensitive information contained in the source code.
What causes the vulnerability?
IIS supports advanced file types such as .ASP and .HTR files. These significantly improve the power and flexibility of web hosting services. In contrast to static web content like .HTM files, these advanced file types can be thought of as programs that, when requested, are executed on the server via so-called server-side processing. Every advanced file type has an interpreter, also known as a scripting engine, that processes files of that type. There is one scripting engine for .ASP files, one for .HTR files, and so forth. File types that don't have an associated scripting engine (.HTM files, for instance) are simply sent to the browser.
When a browser requests a file from a web server, IIS determines what scripting engine to invoke by checking the file extension. However, if the user creates a specialized header and appends one of several particular characters to the end of the request, IIS will locate the correct file but not recognize it as a file that needs to be processed by a scripting engine. Instead, it will simply send the file to the browser.
What are Headers and what are they used for?
A header is a part of an HTTP request, and contains information about the purpose of the request. For example, a header might indicate what type of character set the request uses, or provide information that proves that the requester is authorized to view the information he's requested. In normal use, the header information is not visible to the user - instead, the browser fills in the appropriate values based on how it's configured. However, it's possible for a user to create an HTTP request outside of the browser, in which case he could supply header information of his choice.
This vulnerability involves the processing of one particular header field. If a malicious user requested a file and included a particular header field in the request, and if the request were malformed in a particular way, IIS would return the source code of the affected file.
What's the risk in sending source code of web files to the browser?
For many types of files, there's no risk. .HTM files, for instance, are designed to be sent in their entirety to the browser. However, .ASP and other advanced file types are intended to never leave the server - only the output of the file, when processed by the scripting engine, should be sent to the browser.
The reason is that web content developers sometimes include sensitive information in .ASP and other advanced file types. For instance, they sometimes include information such as passwords in the files in order to personalize the content that they generate. This is contrary to recommended practices, and secure methods of storing and using such information are available; nevertheless, it is a frequent error. If such a web file were sent directly to a browser, it could compromise any sensitive information it contained.
If recommended security practices had been followed, and the .ASP code didn't contain any sensitive information, what would the risk be from this vulnerability?
There would be little or no risk.
Could this vulnerability be exploited accidentally?
Since the specialized header could not be created through the use a standard Internet Browser, it is very unlikely that anyone would exploit this vulnerability by accident.
Who should use the patch?
Customers using IIS 5.0 to serve .ASP or other advanced file types should either apply this patch or apply Windows 2000 Service Pack 1. We recommend that customers apply SP1 as the preferred option for eliminating this vulnerability, as it has been fully regression tested and includes fixes for additional issues.
What does the patch do?
The patch eliminates the vulnerability by changing how IIS handles file requests. This causes the appropriate scripting engine to process the file when it's served to the browser.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
