IIS Security Fixes Announced

Security vulnerabilities involving Microsoft Internet Information Server and software that runs atop it - one that could give unauthorized access to a Web server and the other that could bypass the normal server-side processing of the file - have been discovered and fixed.

One vulnerability could allow files on a Web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. Request for comments (RFC) standard 1738 specifies that Web servers must allow hexadecimal digits to be input in URLs by preceding them with the percent sign, the so-called "escape" character. IIS complies with this standard, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

While this vulnerability does not affect IIS, it does affect third-party applications that run atop IIS but do not perform canonicalization. Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by the vulnerability. The Intel version of the patch is available at and the Alpha version is available at

Another vulnerability could cause a Web server to send the source code of .ASP and other files to a visiting user.

If a file on one of the affected Web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case, the source code of .ASP or other files could be sent to the browser.

This vulnerability would be most likely to occur due to administrator error or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. However, an affected virtual directory could be detected during routine testing of the server.

Microsoft IIS 4.0, Site Server 3.0, and Site Server Commerce Edition 3.0 are affected by this vulnerability. The Intel version of the patch is available at and the Alpha version is available at -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.