The custom error page 500-100.asp may return sensitive information in Internet Information Services 5.0 and in Internet Information Services 5.1

In certain scenarios, the Microsoft Internet Information Services (IIS) custom error page 500-100.asp may return sensitive information back to a browser. This problem may occur only in Microsoft Internet Information Services 5.0 and in Microsoft Internet Information Services 5.1. Microsoft Internet Information Services 6.0 is not affected.

By sending a specially crafted request, you can bypass a verification step in the custom error page 500-100.asp. This page is only executed if an Active Server Pages (ASP) page that is present on the server that is running IIS contains a script error. The verification step makes sure that a detailed error message about this script error is only returned to the browser if the request is made from the Web server computer itself. In certain scenarios, this detailed error message may contain sensitive information about the configuration of the server that is running IIS.

To resolve this problem, use one of the following methods:

• Remove the All Unassigned binding for each of your sites, and specify the host name that your site requires.
• Update the 500-100.asp page. The 500-100.asp page is located under %windir%/iishelp/common. To update the 500-100.asp page, locate the following line of code.

  If (strServername = "localhost" Or strServerIP = strRemoteIP) And objASPError.File <> "?" Then

  Change this line of code to the following line of code.

  If (strServerIP = strRemoteIp) And objASPError.File <> "?" Then

  This update is the same for IIS 5.0 and for IIS 5.1.