Default installations of Microsoft Site Server include ViewCode.asp, a tool provided so that users can view files in the sample sites. However, a Web visitor can also view any file on the server whose Access Control List (ACL) allows access by Web visitors and whose name the visitor knows or guesses.

Please note, however, that the Web visitor cannot change, delete, or add any files.

Back to the top

The ViewCode.asp tool does not restrict which files a visitor to a Web site can view.

Back to the top

To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Back to the top

Remove all copies of ViewCode.asp from the production server, or set the ACLs for them so that only the appropriate users can use them.

NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need anyway, and to deny access to all others.

Back to the top

This problem was first corrected in Site Server 3.0 Service Pack 3.

Back to the top

Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix.

This fix corrects the vulnerability by restricting ViewCode.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies ViewCode.asp from the server altogether.

Back to the top

Environment in Which ViewCode.asp May Cause Security Risk

The security exposure is limited to the situation in which all of the following is true:

•	Servers that have the sample sites installed.
•	The sample sites are not protected by ACLs.
•	Sensitive data exists on the same logical drive as ViewCode.asp.
•	Files containing sensitive data allow the "Everyone" user group read or greater access in the ACL.
•	Malicious users know the path and filename of files that contain sensitive data.

Back to the top

Installing the Fix

The fix installation program, Update.exe, automatically replaces existing ViewCode.asp files.

NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in the six directories listed below. PubSys_viewcode.asp is used to replace the existing ViewCode.asp in the Publishing sample (\Microsoft Site Server\SiteServer\Publishing).

Back to the top

Versions and Locations of ViewCode.asp

A complete installation of Site Server 3.0 will install various copies of ViewCode.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies.

The following six directories contain the same version of ViewCode.asp:

•	\Microsoft Site Server\Sites\Knowledge\Membership\Inspired
•	\Microsoft Site Server\Sites\Knowledge\Membership\Inspiredtutorial
•	\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspired
•	\Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspiredtutorial
•	\Microsoft Site Server\Sites\Samples\Knowledge\Push
•	\Microsoft Site Server\Sites\Samples\Knowledge\Search

However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing) contains a different version of ViewCode.asp that is customized to work specifically with the Publishing samples, which allows the samples to work as properly, but prevents a malicious user from gaining access to files outside of the sample sites.

NOTE: ViewCode.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers.

Back to the top

Code Changes in the Fix

The issue is that ViewCode.asp uses "server.mappath" without any restrictions on what is passed to this function. Because ViewCode.asp allows a user to enter a path and filename, a malicious user could gain access to, and read (read-only), any known file on the same logical disk as ViewCode.asp that is not protected (no ACLs set for it).

The code added to the InitFileReading function in ViewCode.asp is as follows (these lines of code may wrap):

'Limit function to .asp and .vbo files in current and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/sites/knowledge/membership", 1) = 0 And instr(1, strVirtualPath, "/sites/samples/knowledge", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If
				

For the Publishing sample sites, a slightly different modification is required (these lines of code may wrap):

'Limit function to .asp, .vbo, .inc, .txt, and .prf files in current, cmsample, fpsample, and child directories
If instr(1, strVirtualPath, "..", 1) <> 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 And instr(1, strVirtualPath, ".inc", 1) = 0 And instr(1, strVirtualPath, ".txt", 1) = 0 And instr(1, strVirtualPath, ".prf", 1) = 0 Then
    Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
    fFileError = TRUE
ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then
    If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/cmsample", 1) = 0 And instr(1, strVirtualPath, "/fpsample", 1) = 0 Then
        Response.Write("<HR> The path to the requested file cannot be mapped.<HR>")
        fFileError = TRUE
    End If
End If
				

Back to the top

Purpose of ViewCode.asp & Related MSDN Sample

The purpose of ViewCode.asp is to show the Web content developer the code that makes the sample sites work.
If you base your content on one of the sample sites, remove the buttons (links) that load the code into ViewCode.asp to display it.

Back to the top

About Installing Samples & Documentation on Production Servers

Most Site Server users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space, and because of the fact that they are just samples, they may not be secure as needed in a production environment.

If you have a need to include the samples on a production server, however, consider restricting access to them to your developers only.

Back to the top

Additional References

Please see the following reference for more information related to this issue:

•	Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp Vulnerability" (The Web-posted version of this bulletin), http://www.microsoft.com/technet/security/Bulletin/MS99-013.mspx (http://www.microsoft.com/technet/security/Bulletin/MS99-013.mspx).

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security (http://www.microsoft.com/security).

Back to the top