Microsoft Security Bulletin MS98-003
File Access Issue with Windows NT Internet Information Server (IIS)
Patch Availability Information Updated: March 7, 2003
Last Revision: July 8, 1998
Recently, Paul Ashton reported an issue on the NTBugtraq mailing list (http://www.ntbugtraq.com) that affects Microsoft® Windows NT® Server's Internet Information Server (IIS). Web clients that connect to Windows NT IIS can read the contents of any Windows NT Server's NT File System (NTFS) file in an IIS v-root directory to which they have been granted "read access". They can read these files even if the file is marked for "applications mappings", as used with Active Server Pages (ASP) scripts.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures that Microsoft has developed to further secure its customers.
NTFS supports multiple data streams within a file. The main data stream, which stores the primary content, has an attribute called $DATA. Accessing this NTFS stream through IIS from a browser may display the contents of a file that is normally set to be acted upon by an Application Mapping.
For example, .asp files are mapped so that they are executed by an ASP page scripting agent on the server, rather than simply having the contents of a file returned, as is done with standard .htm files. Normally, direct contents of the these script-mapped files should not be returned to the user. However, by requesting the file using the its complete data stream name, a Web browser could obtain the contents of the script file. In some cases, the file might contain sensitive information such as embedded passwords or other sensitive "business logic" information.
This issue does not give the user who could access the script file the ability to alter the script on the server, or force the server to run arbitrary code. The only users exposure is to the plain text of the script file.
The issue is a result of the way IIS parses file names. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to make the file name canonical.
For the problem to occur:
- The user must know the name of the file
- The ACLs on the file must allow the user read access
- The file must reside on an NTFS partition
Affected Software Versions
- Microsoft Windows NT Server's Internet Information Server versions 1.0, 2.0, 3.0, and 4.0
- Microsoft Peer Web Server versions 2.0, 3.0
- Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation
Vulnerability Identifier: CVE-1999-0278
What Microsoft is Doing
The Microsoft Product Security Response Team has produced a hot fix for Microsoft Internet Information Server versions 3.0 and 4.0. Additionally, some administrative workarounds are included below.
What Customers Should Do
Microsoft strongly recommends that customers using IIS versions 3.0 and 4.0 should apply the hot fix.
Customers running earlier versions of Windows NT Server's IIS should upgrade to a more recent version (3.0 or 4.0).
The following hot fixes are available from the Microsoft FTP download server under http://www.microsoft.com/technet/security/patchavailability.mspx
- IIS 3.0 (Intel x86) hot fix, /iis3-datafix/iis3fixi.exe
- IIS 3.0 (Alpha) hot fix, /iis3-datafix/iis3fixa.exe
- IIS 4.0 (Intel x86) hot fix, /iis4-datafix/iis4fixi.exe
- IIS 4.0 (Alpha) hot fix, /iis4-datafix/iis4fixa.exe
As localized versions of this hot fix are produced, they will appear in the respective language directories under ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/(lang)/security where (lang) is the appropriate language.
Customers who cannot apply the hot fix can use the following workaround to temporarily address this issue:
Normally, Web users do not need read access to script files, such as .asp files. They simply need execute permissions. Removing read access to these files for non-administrative users will remove this exposure.
For additional protection, the Application Maps defined in Windows NT Server's IIS 4.0 can be modified to account for the existence of the alternate data streams. More details on this workaround are available in the Microsoft Knowledge Base article 188806 (see the "More Information" section below for the URL).
In addition, the following practices can help to improve security further for your Windows NT Server's IIS servers:
- Periodically review the users and groups who have access to the Web server: Review the users and groups and their permissions to ensure that only valid users have the appropriate permissions.
- Use auditing to detect for suspicious activity: Apply auditing controls on sensitive files and review these logs periodically to detect suspicious or unauthorized behavior.
- Set read and execute permissions appropriately: ASP and other script files do not need to be readable by users that access them through Windows NT Server's IIS, they need to be executable. Thus, it is advisable to remove read access from these files for normal users.
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin 98-003, File Access issue with Internet Information Server (the Web-posted version of this bulletin), /technet/security/bulletin/ms98-003.mspx
- Microsoft Knowledge Base article 188806, NTFS Alternate Data Stream Name of a File May Return Source, http://support.microsoft.com/default.aspx?scid=kb;en-us;188806&sd=tech
- Microsoft Knowledge Base article 105763, HOWTO: Use NTFS Alternate Data Streams, http://support.microsoft.com/default.aspx?scid=kb;en-us;105763&sd=tech
- July 2, 1998: Bulletin Created
- July 6, 1998: Updated information on the availability of a hot fix for Windows NT Server's IIS 4.0 and Alpha version. Added additional information on workaround, and more thorough issue description.
- July 8, 1998: Updated to include information about localized versions of the hot fix. Updated information about products affected.
- V2.0 (March 10, 2003): Introduced versioning and updated patch availability information
For additional information on security issues at Microsoft, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.