| VID |
21129 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The '/iissamples/sdk/asp/docs/codebrws.asp' CGI is installed and the remote web server is seemed to be running IIS 4.0 or Site Server. The codebrws.asp sample file allows remote attackers to read any known files on the same logical disk as the installed ASP code.
These ASP sample files are:
IIS_DIRECTORY\Iissamples\Exair\Howitworks\Code.asp
IIS_DIRECTORY\Iissamples\Exair\Howitworks\Codebrws.asp
IIS_DIRECTORY\Iissamples\Sdk\Asp\Docs\Codebrws.asp
Program_Files\Common_Files\System\Msadc\Samples\Selector\Showcode.asp
However, note that the Web visitor cannot change, delete, or add any files. |
| Recommendation |
Remove all copies of Showcode.asp, Code.asp, and CodeBrws.asp from the production server, or set the ACLs for each of these files so that only the appropriate users have access.
You can use the following site to patch or fix it.
* Site Server 3.0
To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, See the following article:
http://support.microsoft.com/support/kb/articles/Q219/2/92.ASP
* IIS 4.0
A fix has been developed for IIS 4.0, and has been posted to the following Internet location as Fix2450I.exe (Intel) or Fix2450A.exe (Alpha):
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
For more information about this fix, See the following article:
http://support.microsoft.com/support/kb/articles/Q232/4/49.ASP |
| Related URL |
CVE-1999-0739 (CVE) |
| Related URL |
167 (SecurityFocus) |
| Related URL |
2383 (ISS) |
|
