1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MS IIS Showcode ASP Request

HTTP MS IIS Showcode ASP Request

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects an attempt to exploit a vulnerability in MS ISS ASP pages.

Additional Information

A sample Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 gives remote users access to view any file on the same volume as the web server that is readable by the web server.

IIS 4.0 installs a number of sample ASP scripts including one called "showcode.asp". This script allows clients to view the source of other sample scripts via a browser. The "showcode.asp" script does not perform sufficent checks and allows files outside the sample directory to be requested. In particular, it does not check for ".." in the path of the requested file.

The script takes one parameter, "source", which is the file to view. The script's default location URL is:

http://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp

Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe.

Affected

  • Microsoft IIS 4.0, 4.0 alpha
  • Microsoft Site Server 3.0 alpha, 3.0 i386, 3.0 SP1 alpha, 3.0 SP1 i386, 3.0 SP2 alpha, 3.0 SP2 i386
  • Microsoft Site Server Commerce Edition 3.0 alpha, 3.0 i386, 3.0 SP1 alpha, 3.0 SP1 i386, 3.0 SP2 alpha, 3.0 SP2 i386

Response

Do not install the sample code on production servers. If you have installed the sample code remove it or install the patches:
Microsoft IIS 4.0:
Microsoft Patch Q252693
Microsoft Patch Q249599
Microsoft Patch Q254142
Microsoft Patch Q260205
Microsoft Patch Q267559 - deleted
Microsoft Patch Q267559
Microsoft Patch Q267559
Microsoft Patch Q218180
Microsoft Patch Q319733 IIS 4.0
Microsoft Patch Q317636
Microsoft Hotfix iis4fixa.exe
Microsoft Hotfix iis4fixi.exe
Microsoft Hotfix Q192296
Microsoft Patch Q269862
Microsoft Patch Q260347
Microsoft Patch Q274149
Microsoft Patch Q274149
Microsoft Patch Q277873
Microsoft Patch Q280322
Microsoft Patch Q285985
Microsoft Patch Q327696: Internet Information Services Security Roll-up Package
Microsoft Patch Q277873
Microsoft Patch Q295534
Microsoft Patch Q269862
Microsoft Patch Q260838 - deleted
Microsoft Patch Q260838 - deleted
Microsoft Patch fix2450i
Microsoft Patch Security Update for IIS 4.0 (KB841373)
Microsoft Patch FrontPage Server Extensions SR2
Microsoft Patch Q295534
Microsoft Upgrade JPNQ815021n
Microsoft Patch Q811114

Microsoft Site Server Commerce Edition 3.0 SP2 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft Site Server Commerce Edition 3.0 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)

Microsoft Site Server Commerce Edition 3.0 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft Site Server 3.0 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft IIS 4.0 alpha:
Microsoft Patch Q252693
Microsoft Patch Q249599
Microsoft Patch Q254142
Microsoft Patch Q260205
Microsoft Patch Q267559
Microsoft Patch Q267559
Microsoft Patch Q269862
Microsoft Patch Q269862
Microsoft Patch Q260838 - deleted
Microsoft Patch Q260838 - deleted
Microsoft Patch fix2450a
Microsoft Hotfix Q192296

Microsoft Site Server Commerce Edition 3.0 SP1 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft Site Server 3.0 SP1 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft Site Server 3.0 SP2 i386:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Intel)

Microsoft Site Server 3.0 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)

Microsoft Site Server 3.0 SP1 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)

Microsoft Site Server 3.0 SP2 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)

Microsoft Site Server Commerce Edition 3.0 SP1 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)

Microsoft Site Server Commerce Edition 3.0 SP2 alpha:
Microsoft Service Pack Site Server 3.0 Service Pack 4 (Alpha)
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube