Article ID: 267559 - Last Review: November 21, 2006 - Revision: 8.4 MS00-044: GET on HTR file can cause a "denial of service" or enable directory browsingThis article was previously published under Q267559 SYMPTOMSNOTE: The issues described in this article are most likely to occur
only on computers that have been upgraded from IIS 3.0 (that included
.htr-based administrative tools) to IIS 4.0 or 5.0. One of the following symptoms may occur when a GET is performed on a .htr file. Symptom 1 - denial of servicePerforming a GET with a missing parameter on an existing .htr file can cause the execution of an endless loop, resulting in 100 percent CPU usage, and in turn, a denial of service to clients of the IIS server.Symptom 2 - ability to browse directoriesPerforming a GET with a missing parameter for a .htr file that exists can give a Web site visitor the ability to browse the Web site's directories.NOTE: Only read-only browsing occurs in this situation. No files can be modified by the Web site visitor. CAUSECause of symptom 1: denial of serviceThe .htr file that received the GET does not correctly handle the case where an expected parameter is missing. The absence of the parameter causes the script to go into an endless loop, at which point the script consumes all CPU resources on the server.NOTE: An administrative script, implemented as a .htr file and installed as part of IIS 3.0 and preserved on upgrade to IIS 4.0 or IIS 5.0 has this behavior of does not correctly handle a missing parameter Cause of symptom 2: ability to browse directoriesIn addition, the permissions on the administrative script (and several related ones), as well as potential .htr scripts created by the IIS user that were appropriate under IIS 3.0 are inappropriate under IIS 4.0 and 5.0. This may allow Web site visitors to use these tools, which provide the ability to view the directory structure on the server.Why do the tools have incorrect permissions?In IIS 3.0, HTR scripts can only be executed locally (that is, from the server itself). Because only an administrator should be able to log onto a Web server locally, it wasn't necessary for the scripts to authenticate the user, and it wasn't necessary to restrict who could execute them.However, IIS 4.0 introduced the capability for HTR scripts to be called remotely. The combination of these two factors (loose permissions inherited from IIS 3.0, coupled with the ability under IIS 4.0 to remotely execute HTR scripts) results in the incorrect permissions. RESOLUTION To resolve this problem, obtain the latest service
pack for Windows 2000. For more information, click the following article number
to view the article in the Microsoft Knowledge Base: 260910
(http://support.microsoft.com/kb/260910/
)
How to obtain the latest Windows Service Pack
Resolution for both symptomsIf you do not have business-critical .htr scripts, perform the following to disable .htr functionality:
Resolution for symptom 2: ability to browse directoriesDelete the /Scripts/Iisadmin directory, which contains the administrative scripts used by IIS 3.0.Alternatively, if you need to preserve this directory for some reason, make sure to explicitly limit the access permissions to the proper user accounts. Resolution for symptom 1: denial of serviceFor customers with business-critical HTR scripts who need to retain .htr functionality and therefore can't disable .htr functionality, the following patch is available that corrects the Denial of Service issue described in Symptom 1.For Windows 2000 The following files are available for download from the Microsoft Download Center: Collapse this image  Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image Collapse this image 119591
(http://support.microsoft.com/kb/119591/
)
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help prevent
any unauthorized changes to the file.
The English version of this fix should have the
following file attributes or later:Date Time Version Size File name ----------------------------------------------------- 07/07/2000 03:17p 5.00.2195.2100 46,352 Ism.dll A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem. To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question.The following files are available for
download from the Microsoft Download Center:
x86: Collapse this image
x86 Symbols: Collapse this image
Alpha: Collapse this image
Alpha Symbols: For more
information about how to download Microsoft support files, click the following
article number to view the article in the Microsoft Knowledge Base: Collapse this image 119591
(http://support.microsoft.com/kb/119591/
)
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help prevent
any unauthorized changes to the file.
The English version of this fix should have the
following file attributes or later:Date Time Version Size File name Platform ---------------------------------------------------------- 06/28/2000 09:34p 4.2.748.1 54,544 Ism.dll x86 06/28/2000 09:30p 4.02.0748 84,752 Ism.dll Alpha To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For more information, click the following article number to view the article in the Microsoft Knowledge Base: 317636
(http://support.microsoft.com/kb/317636/
)
Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
STATUSMicrosoft has confirmed that this is a problem in about what
this package fixes.
This problem was first corrected in 260838 Service Pack
IIS Stops Servicing HTR Requests. MORE INFORMATION
For more information, click the following article number to view the article in
the Microsoft Knowledge Base: 260069
(http://support.microsoft.com/kb/260069/
)
Malformed HTR request returns source code for ASP scripting files
Related security bulletinFor more information, please see the Microsoft Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms00-044.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-044.mspx) .How can an affected server be put back into service?Stop and restart the IIS service. It's not necessary to restart the server.What is HTR?HTR is a first-generation advanced scripting technology that is included in IIS 3.0. However, HTR was never widely adopted, and was superceded by Active Server Pages (ASP) technology introduced in IIS 4.0.
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
