Preventing ViewCode.asp from Viewing Known Server Files

ID: Q231656

The information in this article applies to:

Microsoft Site Server version 3.0

SYMPTOMS

Default installations of Microsoft Site Server include ViewCode.asp, a tool provided so that users can view files in the sample sites. However, a Web visitor can also view any file on the server whose Access Control List (ACL) allows access by Web visitors and whose name the visitor knows or guesses.

Please note, however, that the Web visitor cannot change, delete, or add any files.

CAUSE

The ViewCode.asp tool does not restrict which files a visitor to a Web site can view.

WORKAROUND

Remove all copies of ViewCode.asp from the production server, or set the ACLs for them so that only the appropriate users can use them.

NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need anyway, and to deny access to all others.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Site Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/support/supportnet/default.asp

The English version of this fix should have the following file attributes or later:


   Date      Time        Size    File name              Platform
   -------------------------------------------------------------
   05/06/99  11:56a    29,088    Common_viewcode.asp     (x86)
   07/02/98  12:27p       913    Eula.txt                (x86)
   05/06/99  11:37a    22,636    PubSys_viewcode.asp     (x86)
   01/27/99  11:02a    62,544    Update.exe              (x86)
   05/06/99  01:42p     7,166    Update.inf              (x86)

   05/06/99  11:56a    29,088    Common_viewcode.asp     (alpha)
   07/02/98  12:27p       913    Eula.txt                (alpha)
   05/06/99  11:37a    22,636    PubSys_viewcode.asp     (alpha)
   01/27/99  11:56a    80,144    Update.exe              (alpha)
   05/06/99  01:42p     7,166    Update.inf              (alpha)

This hotfix has been posted to the following Internet location as Viewfixi.exe (x86):

ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/

NOTE: A version for Alpha platforms will be available shortly.

NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

STATUS

Microsoft has confirmed this to be a problem in Site Server 3.0.

MORE INFORMATION

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix.

This fix corrects the vulnerability by restricting ViewCode.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies ViewCode.asp from the server altogether.

Environment in Which ViewCode.asp May Cause Security Risk

The security exposure is limited to the situation in which all of the following is true:

Servers that have the sample sites installed.

The sample sites are not protected by ACLs.

Sensitive data exists on the same logical drive as ViewCode.asp.

Files containing sensitive data allow the "Everyone" user group read or greater access in the ACL.

Malicious users know the path and filename of files that contain sensitive data.

Installing the Fix

The fix installation program, Update.exe, automatically replaces existing ViewCode.asp files.

NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in the six directories listed below. PubSys_viewcode.asp is used to replace the existing ViewCode.asp in the Publishing sample (\Microsoft Site Server\SiteServer\Publishing).

Versions and Locations of ViewCode.asp

A complete installation of Site Server 3.0 will install various copies of ViewCode.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies.

The following six directories contain the same version of ViewCode.asp:

\Microsoft Site Server\Sites\Knowledge\Membership\Inspired
\Microsoft Site Server\Sites\Knowledge\Membership\Inspiredtutorial
\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspired
\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspiredtutorial
\Microsoft Site Server\Sites\Samples\Knowledge\Push
\Microsoft Site Server\Sites\Samples\Knowledge\Search

However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing) contains a different version of ViewCode.asp that is customized to work specifically with the Publishing samples, which allows the samples to work as properly, but prevents a malicious user from gaining access to files outside of the sample sites.

NOTE: ViewCode.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers.

Code Changes in the Fix

The issue is that ViewCode.asp uses "server.mappath" without any restrictions on what is passed to this function. Because ViewCode.asp allows a user to enter a path and filename, a malicious user could gain access to, and read (read-only), any known file on the same logical disk as ViewCode.asp that is not protected (no ACLs set for it).

The code added to the InitFileReading function in ViewCode.asp is as follows (these lines of code may wrap):


'Limit function to .asp and .vbo files in current and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/sites/knowledge/membership", 1) = 0 And instr(1, strVirtualPath, "/sites/samples/knowledge", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If

For the Publishing sample sites, a slightly different modification is required (these lines of code may wrap):


'Limit function to .asp, .vbo, .inc, .txt, and .prf files in current, cmsample, fpsample, and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 And instr(1, strVirtualPath, ".inc", 1) = 0 And instr(1, strVirtualPath, ".txt", 1) = 0 And instr(1, strVirtualPath, ".prf", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/cmsample", 1) = 0 And instr(1, strVirtualPath, "/fpsample", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If

Purpose of ViewCode.asp & Related MSDN Sample

The purpose of ViewCode.asp is to show the Web content developer the code that makes the sample sites work. This type of function is also used on the Web author's workshop on the MSDN site (http://msdn.microsoft.com/workshop/c-frame.htm#/workshop/author/default.asp).

If you base your content on one of the sample sites, remove the buttons (links) that load the code into ViewCode.asp to display it.

About Installing Samples & Documentation on Production Servers

Most Site Server users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space, and because of the fact that they are just samples, they may not be secure as needed in a production environment.

If you have a need to include the samples on a production server, however, consider restricting access to them to your developers only.

Additional References

Please see the following reference for more information related to this issue:

Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp Vulnerability" (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp.

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security.

Additional query words: patch hotfix hot fix qfe default setup set up viewcode utility hacker breach read see source


Keywords          : 
Version           : winnt:3.0
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: May 19, 1999