Microsoft Security Bulletin MS00-058 - Critical
Patch Available for 'Specialized Header' Vulnerability
Published: August 14, 2000
Originally posted: August 14, 2000
Microsoft has released a patch that eliminates a security vulnerability in Internet Information Server that ships with Microsoft® Windows 2000. Under certain conditions, the vulnerability could cause a web server to send the source code of certain types of web files to a visiting user.
- Microsoft Internet Information Server 5.0
Vulnerability Identifier: CVE-2000-0778
If an IIS server receives a file request that contains a specialized header as well as one of several particular characters at the end, the expected ISAPI extension processing may not occur. The result is that the source code of the file would be sent to the browser.
It is important to note that normal security recommendations militate strongly against ever including sensitive information in .ASP files and, if these recommendations have been followed, there would be no sensitive information to compromise. The specialized header at issue here cannot be created via a standard Internet browser, so the request would need to be created by an alternate method.
What's this bulletin about?
Microsoft Security Bulletin MS00-058 announces the availability of a patch that eliminates a vulnerability in Internet Information Server that ships with Microsoft® Windows 2000. Under certain conditions, the vulnerability could cause a web server to send the source code of a web file to a visiting user. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could cause the source code of certain types of files to be sent from a web server to a visiting user's browser. It would not enable a malicious user to change the files on a server or take any other administrative action on it.
It is important to note that if normal security recommendations regarding .ASP files have been followed, there would be no sensitive information contained in the source code.
What causes the vulnerability?
IIS supports advanced file types such as .ASP and .HTR files. These significantly improve the power and flexibility of web hosting services. In contrast to static web content like .HTM files, these advanced file types can be thought of as programs that, when requested, are executed on the server via so-called server-side processing. Every advanced file type has an interpreter, also known as a scripting engine, that processes files of that type. There is one scripting engine for .ASP files, one for .HTR files, and so forth. File types that don't have an associated scripting engine (.HTM files, for instance) are simply sent to the browser.
When a browser requests a file from a web server, IIS determines what scripting engine to invoke by checking the file extension. However, if the user creates a specialized header and appends one of several particular characters to the end of the request, IIS will locate the correct file but not recognize it as a file that needs to be processed by a scripting engine. Instead, it will simply send the file to the browser.
What are Headers and what are they used for?
A header is a part of an HTTP request, and contains information about the purpose of the request. For example, a header might indicate what type of character set the request uses, or provide information that proves that the requester is authorized to view the information he's requested. In normal use, the header information is not visible to the user - instead, the browser fills in the appropriate values based on how it's configured. However, it's possible for a user to create an HTTP request outside of the browser, in which case he could supply header information of his choice.
This vulnerability involves the processing of one particular header field. If a malicious user requested a file and included a particular header field in the request, and if the request were malformed in a particular way, IIS would return the source code of the affected file.
What's the risk in sending source code of web files to the browser?
For many types of files, there's no risk. .HTM files, for instance, are designed to be sent in their entirety to the browser. However, .ASP and other advanced file types are intended to never leave the server - only the output of the file, when processed by the scripting engine, should be sent to the browser.
The reason is that web content developers sometimes include sensitive information in .ASP and other advanced file types. For instance, they sometimes include information such as passwords in the files in order to personalize the content that they generate. This is contrary to recommended practices, and secure methods of storing and using such information are available; nevertheless, it is a frequent error. If such a web file were sent directly to a browser, it could compromise any sensitive information it contained.
If recommended security practices had been followed, and the .ASP code didn't contain any sensitive information, what would the risk be from this vulnerability?
There would be little or no risk.
Could this vulnerability be exploited accidentally?
Since the specialized header could not be created through the use a standard Internet Browser, it is very unlikely that anyone would exploit this vulnerability by accident.
Who should use the patch?
Customers using IIS 5.0 to serve .ASP or other advanced file types should either apply this patch or apply Windows 2000 Service Pack 1. We recommend that customers apply SP1 as the preferred option for eliminating this vulnerability, as it has been fully regression tested and includes fixes for additional issues.
What does the patch do?
The patch eliminates the vulnerability by changing how IIS handles file requests. This causes the appropriate scripting engine to process the file when it's served to the browser.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
Note: This vulnerability is eliminated by installing Windows 2000 Service Pack 1 http. We recommend that customers apply SP1 as the preferred option for eliminating this vulnerability, as it has been fully regression tested and includes fixes for additional issues.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q256888, http://support.microsoft.com/default.aspx?scid=kb;en-us;256888&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- August 14, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00