Tech Talk

July 1, 1998

July 6, 1998

July 13, 1998


Tech Week

Microsoft announced Thursday the discovery of a bug in its Internet Information Server that could reveal the source code behind unprocessed server-side scripts. The new bug is similar to one -- found by San Diego Source programmers and reported last week -- that affected Netscape Enterprise, Sun's Java Web Server and O'Reilly and Associates' WebSite Pro. That bug occurs when users append a certain set of characters at the end of a URL. The Microsoft bug, which also is similar to one that struck IIS more than a year ago, will reveal the scripting behind some Web applications if "::$DATA" is added to the end of a URL for a page on a server running IIS 3.0 and 4.0. Microsoft already has posted a fix on its site. While the HTML source code of most Web pages normally can be viewed through utilities in any browser, server-side scripts are intended to be invisible and occasionally can contain sensitive information. Since these scripts often are used to integrate the Web with large corporate databases, programmers sometimes use them to pass sensitive information, such as passwords, to the database. Hackers could use this information to copy, alter or even delete data. Microsoft said in a letter to software makers that the issue is a result of the way IIS parses filenames. "The native Windows NT file system, NTFS, supports multiple data streams within a file. The main data stream, which stores the primary content, has an attribute called '$DATA.' Accessing this NTFS stream via IIS from a browser may display the script code for the file," the letter read. The fix alters the way Windows NT handles multiple data streams. Microsoft also explains in the letter that in order for the bug to work, certain conditions must be met. First, a user has to know the file name -- though tacking something on to the end of a URL sort of implies that; permissions for the file would have to be set to allow its execution, and, finally, the file has to exist on an NTFS partition. The letter does not mention that many of these conditions are met by default under Microsoft's file system or would need to be met in order for the script to work in the first place. Last week, the San Diego Source discovered the similar security hole compromising the integrity of Web server software from Netscape Communications, Sun and O'Reilly & Associates. That bug, which occurs when a "%20" is appended to the URL of a Web page, reveals the unprocessed source code of certain files. Sites running Active Server Pages or Cold Fusion Application Server, for instance, would return the script itself, rather that the result of the script. All three companies confirmed the findings and released fixes within days. The "$DATA" bug is virtually identical in nature to those affecting Netscape, Sun and O'Reilly and comes as a surprise to many IIS users -- most of whom have been working under the assumption that Microsoft had patched this hole more than a year ago. The result is that a very large number of Windows-based Web servers -- including virtually any IIS, Netscape Enterprise, Sun Java Web Server or WebSite Pro server not upgraded or patched in the last seven days -- are vulnerable to exploitation.


July 1, 1998

July 6, 1998

July 13, 1998