Article ID: 231368 - View products that this article applies to.
This article was previously published under Q231368
Microsoft has identified a vulnerability that occurs in some file viewers that are included with Microsoft Site Server and Internet Information Server.
The vulnerability could allow a Web site visitor to view, but not to change, files on the server, provided that the visitor knows or guesses the name of each file and has access rights to the file based on the Windows NT Access Control Lists (ACLs).
Site Server 3.0To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
219292This problem was first corrected in Site Server 3.0 Service Pack 3.
(http://support.microsoft.com/kb/219292/EN-US/ )How to Obtain the Latest Site Server 3.0 Service Pack
IIS 4.0A fix has been developed for IIS 4.0, and has been posted to the following Internet location as Fix2450I.exe (Intel) or Fix2450A.exe (Alpha):
To eliminate the vulnerability on your Web server that can be caused by these file viewers, you should:
Microsoft Site Server and Internet Information Server (IIS) include tools that allow Web site visitors to view selected files on the server. These tools are installed by default in Site Server, but must be explicitly installed in IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production Web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a Web site visitor can view.
Note the following important points:
Article ID: 231368 - Last Review: October 26, 2006 - Revision: 4.3