It looks like there are some security problems with Microsoft IIS and Site Server relating to some Web-based site management applications that ship with the server. These programs, whcih allow you to do things like remotely view the source code of your ASP pages over the Web, have security holes that can enable users to view the contents of any file on the server. These problems are interesting for two reasons; one is that they’re really similar to the recently exposed security hole with Cold Fusion that allowed malicious users to attack Web sites through the example programs that are installed with the Cold Fusion documentation. The second is that problems with these particular ASP programs are nothing new. A quick Web search on the name of one of the affected IIS programs (viewcode.asp) returned a security alert from over a year ago describing a denial of service attack that could be launched by abusing the program.
It looks like there are some security problems with Microsoft IIS and Site Server relating to some Web-based site management applications that ship with the server. These programs, whcih allow you to do things like remotely view the source code of your ASP pages over the Web, have security holes that can enable users to view the contents of any file on the server. These problems are interesting for two reasons; one is that they’re really similar to the recently exposed security hole with Cold Fusion that allowed malicious users to attack Web sites through the example programs that are installed with the Cold Fusion documentation. The second is that problems with these particular ASP programs are nothing new. A quick Web search on the name of one of the affected IIS programs (viewcode.asp) returned a security alert from over a year ago describing a denial of service attack that could be launched by abusing the program.
Commentary
Previous post
Next post