[thelist] FW: Microsoft Security Bulletin (MS99-058)
Scott Dexter
sgd at ti3.com
Wed, 22 Dec 1999 10:39:34 -0600
#2
sgd
--
think safely
> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif@MICROSOFT.COM]
> Sent: Tuesday, December 21, 1999 5:35 PM
> To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin (MS99-058)
>
>
> The following is a Security Bulletin from the Microsoft
> Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from
> an unattended
> mailbox.
> ********************************
>
> Microsoft Security Bulletin (MS99-058)
> --------------------------------------
>
> Patch Available for "Virtual Directory Naming" Vulnerability
> Originally Posted: December 21, 1999
>
> Summary
> =======
> Microsoft has released a patch that eliminates a vulnerability in
> Microsoft(r) Internet Information Server and other products
> that run atop
> it. Under certain conditions, the vulnerability could cause a
> web server to
> send the source code of .ASP and other files to a visiting user.
>
> Frequently asked questions regarding this vulnerability can
> be found at
> http://www.microsoft.com/security/bulletins/MS99-058faq.asp.
>
> Issue
> =====
> If a file on one of the affected web server products resides
> in a virtual
> directory whose name contains a legal file extension, the
> normal server-side
> processing of the file can be bypassed. The vulnerability
> would manifest
> itself in different ways depending on the specific file type
> requested, the
> specific file extension in the virtual directory name, and
> the permissions
> that the requester has in the directory. In most cases, an error would
> result and the requested file would not be served. In the
> worse case, the
> source code of .ASP or other files could be sent to the browser.
>
> This vulnerability would be most likely to occur due to
> administrator error,
> or if a product generated an affected virtual directory name
> by default.
> (Front Page Server Extensions is one such product).
> Recommended security
> practices militate against including sensitive information in
> .ASP and other
> files that require server-side processing, and if this
> recommendation is
> observed, there would be no sensitive information divulged
> even if this
> vulnerability occurred. In any event, an affected virtual
> directory could be
> identified during routine testing of the server.
>
> Affected Software Versions
> ==========================
> - Microsoft Internet Information Server 4.0
> - Microsoft Site Server 3.0
> - Microsoft Site Server Commerce Edition 3.0
>
> Patch Availability
> ==================
> - Intel:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378
> - alpha:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16379
>
> NOTE: Additional security patches are available at the
> Microsoft Download
> Center.
>
> More Information
> ================
> Please see the following references for more information
> related to this
> issue.
> - Microsoft Security Bulletin MS99-058: Frequently Asked Questions,
> http://www.microsoft.com/security/bulletins/MS99-058faq.asp.
> - Microsoft Knowledge Base (KB) article Q238606,
> Page Contents Visible For Certain Virtual Directory Names,
> http://support.microsoft.com/support/kb/articles/q238/6/06.asp.
> (Note: It may take 24 hours from the original posting of this
> bulletin for this KB article to be visible.)
> - Microsoft Knowledge Base (KB) article Q186803,
> Browsing Folders with Script-Mapped Extensions Returns Errors,
> http://support.microsoft.com/support/kb/articles/q186/8/03.asp.
> - Microsoft Security Advisor web site,
> http://www.microsoft.com/security/default.asp.
>
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
>
> Acknowledgments
> ===============
> Microsoft acknowledges Adam Hunger for bringing this issue to
> our attention.
>
>
> Revisions
> =========
> - December 21, 1999: Bulletin Created.
>
> ---------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
> CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
> DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
> SPECIAL DAMAGES, EVEN
> IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your
> registration
> to the Microsoft Product Security Notification
> Service. You may
> unsubscribe from this e-mail notification service at any
> time by sending
> an e-mail to
> MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing
> the request,
> and can be anything you like.
>
> For more information on the Microsoft Security
> Notification Service
> please visit
http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.