DOCUMENT:Q276489 08-MAY-2002 [iis] TITLE :Patch Available for Web Server Folder Traversal Vulnerability PRODUCT :Internet Information Server PROD/VER::4.0,5.0 OPER/SYS: KEYWORDS:kbWin2000PreSP2Fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 - Microsoft Internet Information Server version 4.0 ------------------------------------------------------------------------------- IMPORTANT: If you download and install the fix included in this article onto a computer running IIS 3.0, the IIS 3.0 Web, FTP, and Proxy services will fail. This fix should only be applied to computers running IIS 4.0 or later. To verify your version of IIS, follow these steps: 1. Click Start, click Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then click the Services icon. 3. In the Services list, locate the IIS Admin Service. If the IIS Admin Service is listed, download and apply the fix included in this article. If the IIS Admin Service is not listed, your version of IIS is not vulnerable to the problem that is corrected by these fixes. Therefore, no action is needed. IIS 3.0 is not vulnerable and does not need this fix. SYMPTOMS ======== A security vulnerability exists in Internet Information Services 5.0 and Internet Information Server 4.0 that may allow a malicious user to gain access to files and folders that are located on the logical drive containing the Web folders. This vulnerability can potentially allow a Web site visitor to take a wide range of destructive actions against it, including running programs on it. RESOLUTION ========== This vulnerability is eliminated by the patch that accompanied the Microsoft File Permission Canonicalization Vulnerability (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) Security Bulletin. Customers who have applied the patch from MS00-057 are already protected against this vulnerability and do not need to take additional action. If you are using IIS 4.0 or IIS 5.0, Microsoft strongly urges you to apply the patch immediately, if you have not already done so. For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base: Q269862 Patch Released for Canonicalization Error Issue STATUS ====== Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article. MORE INFORMATION ================ Additional information about this issue is available from the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp http://www.microsoft.com/technet/security/bulletin/MS00-086.asp The English version of the IIS 5.0 fix should have the following file attributes or later: Date Time Version Size File name ----------------------------------------------------- 08-09-2000 1:02pm 5.0.2195.2103 357,136 W3svc.dll The English version of the IIS 4.0 fix should have the following file attributes or later: Date Time Size File name Platform --------------------------------------------------- 08/03/2000 05:06p 330,080 Asp.dll Intel 08/03/2000 05:04p 185,792 Infocomm.dll Intel 08/03/2000 05:05p 38,256 Ssinc.dll Intel 08/03/2000 05:05p 25,360 Sspifilt.dll Intel 08/03/2000 05:05p 228,496 W3svc.dll Intel 08/03/2000 05:08p 551,696 Asp.dll Alpha 08/03/2000 05:06p 304,912 Infocomm.dll Alpha 08/03/2000 05:07p 60,176 Ssinc.dll Alpha 08/03/2000 05:07p 39,696 Sspifilt.dll Alpha 08/03/2000 05:07p 384,272 W3svc.dll Alpha Additional query words: ====================================================================== Keywords : kbWin2000PreSP2Fix Technology : kbiisSearch kbiis500 kbiis400 Version : :4.0,5.0 Hardware : x86 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.