Microsoft's (MSFT) Internet Information
Server 3.0 contains a security hole that could potentially
expose database passwords and other sensitive
information to the public.
Today, Microsoft confirmed that the latest version of its
Web server has a glitch in a feature called Active Server
Pages that could inadvertently reveal private information
to hackers. Active Server Pages allows Web developers
to combine scripts with HTML code so that a Web page
can display, for example, the correct time when a user
accesses the page.
The problem also affects two other scripting features in
IIS 3.0, HTML Extension (HTX) and Internet Database
Connector (IDC).
Unlike some security holes found in Web servers and
other products, the IIS glitch doesn't require an
extremely sophisticated hacker to exploit it. When faced
with a Web page that uses Active Server Pages, a user
need only type a period after the file name in the URL
window on a Web browser. (For example,
"http://www.mycompany.com/default.asp" would
become "http://www.mycompany.com/default.asp.") The
contents of a file, potentially including database
passwords, would then be displayed through the
browser.
"The problem is that if you put a dot at the end of
the file
name, instead of being executed, [the file] actually gets
read to the client by the server," said Jonathan Perera,
lead product manager at Microsoft.
Once hackers have the name of a database and its
password, they might still be blocked from accessing it
by a corporate firewall. Also, the file that is
displayed to
users won't necessarily display passwords. Still,
Microsoft is frantically preparing a fix for the
problem that
should be available within the next two days.
In the meantime, developers have already come with a
software patch that fixes the security hole.
"There's a lot of information that a developer can put
into
scripts," said Perera. "It's possible to pass a password
to a database with scripts. Theoretically, it's
possible for
a hacker to get the name of a database and password."
Microsoft officials learned of the security problem this
morning after developers posted information to various
newsgroups and mailing lists about the bug. More than
100,000 copies of IIS 3.0 have been downloaded from
Microsoft's Web site, Perera said.
Web developers expressed concern about the security
hole, even though firewalls may screen out most
intruders from accessing internal company databases.
"We have to remember that hackers are located on
intranets also so that if the hacker is within the
firewall
of the corporate intranet, or if the server is
available via
some protocol over the Internet, the hacker can perform
any malicious acts that the compromised account
allows," said Stephen Genusa, vice president of
engineering for software developer IRdg.
Another developer was equally concerned that the hole
would allow other programmers to copy the source
code of Active Server Pages scripts to use on their own
pages.
"It's like delivering MS Word with the source code
included," said Christoph Wille, a software developer
based in Leoben, Austria. "Don't even think about
passwords and hackers. You lose a big amount of
money when your customers simply have to download
the source code from another site that has already
bought the software."
--I got two turntables and a microphone...
<> tbyars@earthlink.net <>