IIS Security Fixes Announced

Security vulnerabilities involving Microsoft Internet Information Server and software that runs atop it - one that could give unauthorized access to a Web server and the other that could bypass the normal server-side processing of the file - have been discovered and fixed.

One vulnerability could allow files on a Web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. Request for comments (RFC) standard 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the percent sign, the so-called "escape" character. IIS complies with this standard, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

While this vulnerability does not affect IIS, it does affect third-party applications that run atop IIS but do not perform canonicalization. Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by the vulnerability. The Intel version of the patch is available at and the Alpha version is available at

Another vulnerability could cause a Web server to send the source code of .ASP and other files to a visiting user.

If a file on one of the affected Web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case, the source code of .ASP or other files could be sent to the browser.

This vulnerability would be most likely to occur due to administrator error or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. However, an affected virtual directory could be detected during routine testing of the server.

Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by this vulnerability. The Intel version of the patch is available at and the Alpha version is available at -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.