IIS Security Fixes Announced

Security vulnerabilities involving Microsoft Internet Information Server and software that runs atop it - one that could give unauthorized access to a Web server and the other that could bypass the normal server-side processing of the file - have been discovered and fixed.

One vulnerability could allow files on a Web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. Request for comments (RFC) standard 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the percent sign, the so-called "escape" character. IIS complies with this standard, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

While this vulnerability does not affect IIS, it does affect third-party applications that run atop IIS but do not perform canonicalization. Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by the vulnerability. The Intel version of the patch is available at and the Alpha version is available at

Another vulnerability could cause a Web server to send the source code of .ASP and other files to a visiting user.

If a file on one of the affected Web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case, the source code of .ASP or other files could be sent to the browser.

This vulnerability would be most likely to occur due to administrator error or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. However, an affected virtual directory could be detected during routine testing of the server.

Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by this vulnerability. The Intel version of the patch is available at and the Alpha version is available at -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus