DOCUMENT:Q249599 30-APR-2002 [iis] TITLE :Virtual Directory Mapped to UNC Returns Server-Side Script Code PRODUCT :Internet Information Server PROD/VER::4.0,5.0 OPER/SYS: KEYWORDS:kbSecurity kbWin2000PreSP1Fix kbWinNT400PreSP7Fix kbgraphxlinkcritical ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 4.0 - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- SYMPTOMS ======== If a virtual directory on an Internet Information Server (IIS) computer is mapped to a Universal Naming Convention (UNC) share, and a request for a file in the directory contains one of several particular characters at the end of the request, the expected Internet Server Application Programming Interface (ISAPI) extension processing may not occur. This can result in the source code of the file being sent to the browser. CAUSE ===== This problem can be caused by the use of a varying combination of special characters at the end of the clients request. RESOLUTION ========== Windows 2000 ------------ To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in the Microsoft Knowledge Base: Q260910 How to Obtain the Latest Windows 2000 Service Pack This fix is also available individually. The following files are available for download from the Microsoft Download Center: US English DownloadDownload Q249599_W2K_SP1_X86_EN.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19982) Arabic DownloadDownload Q249599_W2K_SP1_X86_AR.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19983) Chinese (Simplified) DownloadDownload Q249599_W2K_SP1_X86_CN.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19985) Chinese (Traditional) DownloadDownload Q249599_W2K_SP1_X86_TW.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19995) Dutch DownloadDownload Q249599_W2K_SP1_X86_NL.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19993) French DownloadDownload Q249599_W2K_SP1_X86_FR.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19989) German DownloadDownload Q249599_W2K_SP1_X86_DE.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19986) Hebrew DownloadDownload Q249599_W2K_SP1_X86_HE.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19996) Italian DownloadDownload Q249599_W2K_SP1_X86_IT.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19990) Japanese DownloadDownload Q249599_W2K_SP1_X86_JA.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19991) Korean DownloadDownload Q249599_W2K_SP1_X86_KO.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19992) Portuguese (Brazil) DownloadDownload Q249599_W2K_SP1_X86_BR.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19984) Spanish DownloadDownload Q249599_W2K_SP1_X86_ES.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19988) Swedish DownloadDownload Q249599_W2K_SP1_X86_SV.EXE now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19994) For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base: Q119591 How to Obtain Microsoft Support Files from Online Services Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. After it is posted, the file is housed on secure servers that prevent any unauthorized changes to the file. Windows NT 4.0 -------------- The following files are available for download from the Microsoft Download Center: US English x86: DownloadDownload Uncsec4i.exe now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18900) Alpha: DownloadDownload Uncsec4a.exe now (http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18901) Dutch x86: Download Uncsec4i.exe now (http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4/NL/Uncsec4i.exe) Alpha: Download Uncsec4a.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/alpha/nl/Uncsec4a.exe) French x86: Download Uncsec4i.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/nt4/fr/Uncsec4i.exe) Alpha: Download Uncsec4a.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/alpha/fr/Uncsec4a.exe) German x86: Download Uncsec4i.exe now (http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4ALPHA/DE/Uncsec4i.exe) Alpha: Download Uncsec4a.exe now (http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4ALPHA/DE/Uncsec4a.exe) NOTE: Debug symbol files are required by an administrator to do both kernel and user mode debugging, providing a method to resolve global variables and function names in the loaded executable file. Click the file names below to download the symbol files: German x86 Symbols: Download Uncsec4is.exe now (http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4ALPHA/DE/Uncsec4is.exe) German Alpha Symbols: Download Uncsec4as.exe now (http://download.microsoft.com/download/iis40/Patch/4.2.736.1/NT4ALPHA/DE/Uncsec4as.exe) Portuguese (Brazilian) x86: DownloadDownload Uncsec4i.exe now ( http://download.microsoft.com/download/iis40/patch/4.2.736.1/nt4/pt-br/Uncsec4i.exe) Alpha: Download Uncsec4a.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/alpha/pt-br/Uncsec4a.exe) Spanish x86: Download Uncsec4i.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/nt4/es/Uncsec4i.exe) Alpha: DownloadDownload Uncsec4a.exe now ( http://download.microsoft.com/download/iis40/patch/4.2.736.1/alpha/es/Uncsec4a.exe) Swedish x86: Download Uncsec4i.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/nt4/sv/Uncsec4i.exe) Alpha: Download Uncsec4a.exe now (http://download.microsoft.com/download/iis40/patch/4.2.736.1/alpha/sv/Uncsec4a.exe) For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base: Q119591 How to Obtain Microsoft Support Files from Online Services Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. After it is posted, the file is housed on secure servers that prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later: Date Time Version Size File name Platform ------------------------------------------------------------- 12/28/99 06:02p 4.2.736.1 185,248 Infocomm.dll x86 12/28/99 06:03p 4.2.736.1 38,256 Ssinc.dll x86 12/28/99 06:03p 4.2.736.1 25,360 Sspifilt.dll x86 12/28/99 06:03p 4.2.736.1 228,464 W3svc.dll x86 Microsoft Windows NT Server version 4.0, Terminal Server Edition ---------------------------------------------------------------- To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base: Q317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package STATUS ====== Windows 2000 ------------ Microsoft has confirmed this to be a problem in Internet Information Services 5.0. This problem was first corrected in Windows 2000 Service Pack 1. Windows NT 4.0 -------------- Microsoft has confirmed this to be a problem in Internet Information Server 4.0. MORE INFORMATION ================ There are significant restrictions that increase the difficulty of exploiting this vulnerability: - By design, virtual directories hide the actual location of files. Under most circumstances, there is no way for an attacker to determine which files on a server actually reside on a UNC share. - Many browsers "correct" requests that contain the trailing characters at issue here by either removing the characters or changing them. - If recommended security practices are followed, ASP and other files that require server-side processing will not contain any sensitive information to compromise. This fix eliminates the vulnerability by removing the trailing special characters if they are included in the request. This causes the appropriate scripting engine to process the file when the request is returned to the browser. If the request is improperly formatted, the request is denied, and then returned to the client as an invalid request. For related information about this problem, please visit the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/ms00-019.asp For additional security-related information about Microsoft products, please visit the following Microsoft Web site: http://www.microsoft.com/security/ For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base: Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes Additional query words: tsesrp ====================================================================== Keywords : kbSecurity kbWin2000PreSP1Fix kbWinNT400PreSP7Fix kbgraphxlinkcritical Technology : kbiisSearch kbiis500 kbiis400 Version : :4.0,5.0 Hardware : ALPHA x86 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.