Microsoft KB Archive/260069

= Malformed HTR Request Returns Source Code for ASP Scripting Files =

Article ID: 260069

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q260069



SYMPTOMS
A malformed HTR request may cause the source code of the Active Server Pages (ASP) script file to be returned.



CAUSE
The problem occurs because the CreateFile function that is used to open requested files deletes all of the trailing spaces in a file name. The file-name truncation in the CreateFile function causes the two names &quot;C:\Ineptub\Wwroot\Default.asp&quot; and &quot;C:\Ineptub\Wwroot\Default.asp&quot; to be the same, which causes the source code of the Default.asp file to be opened and be returned.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Windows 2000:

The following file is available for download from the Microsoft Download Center:

Download Q267559_w2k_sp2_x86_en.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

For additional information about what this package fixes, click the article numbers below to view the articles in the Microsoft Knowledge Base:

267560 Changing the URL in a Specific Manner May Expose Contents of a File

267559 GET on .Htr File Can Cause a &quot;Denial of Service&quot; or Enable Directory Browsing

260838 IIS Stops Servicing .htr Requests

The English version of this fix should have the following file attributes or later:

  Date        Time    Version         Size    File name -  07/07/2000  03:17p  5.00.2195.2100  46,352  Ism.dll

Windows NT 4.0

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following files are available for download from the Microsoft Download Center:

x86: Download Htrdos4i.exe now

x86 Symbols: Download Htrdos4is.exe now

Alpha: Download Htrdos4a.exe now

Alpha Symbols: Download Htrdos4as.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. For additional information about what this package fixes, click the article numbers below to view the articles in the Microsoft Knowledge Base:

267560 Changing the URL in a Specific Manner May Expose Contents of a File

267559 GET on .Htr File Can Cause a &quot;Denial of Service&quot; or Enable Directory Browsing

260838 IIS Stops Servicing .htr Requests

The English version of this fix should have the following file attributes or later:

  Date        Time    Version    Size    File name  Platform --  06/28/2000  09:34p  4.2.748.1  54,544  Ism.dll    x86 06/28/2000 09:30p  4.02.0748  84,752  Ism.dll    Alpha



STATUS
This problem was first corrected in Windows 2000 Service Pack 2.

Internet Information Services 5.0
Microsoft has confirmed that this is a problem in Internet Information Services 5.0.

Internet Information Server 4.0
Microsoft has confirmed that this is a problem in Internet Information Server 4.0.



MORE INFORMATION
For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security/

For additional information about other issues that are resolved by this update, click the article number below to view the article in the Microsoft Knowledge Base:

260838 IIS Stops Servicing .htr Requests

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Keywords: kbbug kbfix kbgraphxlinkcritical kbwin2000presp2fix KB260069

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.