IIS Security Fixes Announced

Security vulnerabilities involving Microsoft Internet Information Server and software that runs atop it - one that could give unauthorized access to a Web server and the other that could bypass the normal server-side processing of the file - have been discovered and fixed.

One vulnerability could allow files on a Web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. Request for comments (RFC) standard 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the percent sign, the so-called "escape" character. IIS complies with this standard, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

While this vulnerability does not affect IIS, it does affect third-party applications that run atop IIS but do not perform canonicalization. Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by the vulnerability. The Intel version of the patch is available at and the Alpha version is available at

Another vulnerability could cause a Web server to send the source code of .ASP and other files to a visiting user.

If a file on one of the affected Web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case, the source code of .ASP or other files could be sent to the browser.

This vulnerability would be most likely to occur due to administrator error or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. However, an affected virtual directory could be detected during routine testing of the server.

Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by this vulnerability. The Intel version of the patch is available at and the Alpha version is available at -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.