Date: 27 January 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.015 -- Microsoft Security Advisory Q179148
Settings May Not Be Applied with URL with Short Filename
27 January 1998
===========================================================================
Microsoft has released the following advisory concerning vulnerabilities
in Internet Information Server (IIS) 4.0 and Personal Web Server (PWS)
4.0. These vulnerabilities may allow users to access certain directories
or files through IIS 4.0 or PWS 4.0 and bypass specific security settings
such as SSL encryption.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when the original bulletin is. If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
- --------------------------BEGIN INCLUDED TEXT--------------------
Settings May Not Be Applied with URL with Short Filename
- ---------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Information Server version 4.0
- Microsoft Personal Web Server version 4.0
- ---------------------------------------------------------------------------
SYMPTOMS
========
Microsoft has been made aware of an issue in Internet Information Server
(IIS) 4.0 and Personal Web Server (PWS) 4.0 in which certain configuration
settings may not be applied when a URL with short file name equivalents is
requested. These configuration setting include restricting access by IP
address, PICS ratings, and requiring SSL encryption. Windows NT file
permissions (ACLs) are not affected.
Users are able to access certain directories or files through IIS 4.0 or
PWS 4.0 and bypass specific security settings such as SSL encryption.
CAUSE
=====
The Windows NT and Windows 95 file systems (FAT, FAT32, and NTFS) support
file names of up to 255 characters. To maintain compatibility with older,
non 32-bit applications, a short file name (called the 8.3 file name) is
created for each file. This short file name equivalent is used by older
applications to access directories and files with long names.
IIS 4.0 and PWS 4.0 maintain certain configuration information about
directories and files in a database called the metabase. The metabase
does not contain file permissions, but rather Web server-specific
information such as requiring SSL encryption, proxy cache setting, and
PICS ratings. Actual file and directory permissions are enforced by NTFS
and are not affected by this problem.
In certain cases when a URL is requested using the short file name, it
is possible that configuration properties specified in the metabase may
not be applied as expected. This issue only occurs where long file names
are used for directories or files, and specific metabase configuration
properties are set on those directories or files. File permissions by a
user or group using NTFS access control lists (ACL) are not affected.
STATUS
======
Microsoft has confirmed this to be a problem in Internet Information
Server version 4.0.
A supported fix is now available, but has not been fully regression-
tested and should be applied only to systems experiencing this specific
problem. Unless you are severely impacted by this specific problem,
Microsoft recommends that you wait for the next Service Pack that contains
this fix. Contact Microsoft Technical Support for more information.
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNNCPkCh9+71yA2DNAQHeiQP/Y/evwLZkZ9coqHSG0P9D9N+nVkJZbxPh
K/6aMPrC/RraDlO0i6EaCrlVKAaP1hip4lJh2yLuAvSpTNkPLGGch7ZADX10arsl
rwbiDkyig0WIalCetar++3U94RAzqd66IjGrNbmm+Gq+qSlvLiB++zI+uET3Q165
imASkhYuFZQ=
=SJdh
-----END PGP SIGNATURE-----
|