Microsoft KB Archive/231656

= Preventing ViewCode.asp from Viewing Known Server Files =

Article ID: 231656

Article Last Modified on 9/4/2007

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q231656



SYMPTOMS
Default installations of Microsoft Site Server include ViewCode.asp, a tool provided so that users can view files in the sample sites. However, a Web visitor can also view any file on the server whose Access Control List (ACL) allows access by Web visitors and whose name the visitor knows or guesses.

Please note, however, that the Web visitor cannot change, delete, or add any files.



CAUSE
The ViewCode.asp tool does not restrict which files a visitor to a Web site can view.



RESOLUTION
To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

219292 How to Obtain the Latest Site Server 3.0 Service Pack



WORKAROUND
Remove all copies of ViewCode.asp from the production server, or set the ACLs for them so that only the appropriate users can use them.

NOTE: Per normal security practices, the ACLs on the server should always be set to enable Web visitors to view only the files they need anyway, and to deny access to all others.



STATUS
This problem was first corrected in Site Server 3.0 Service Pack 3.



MORE INFORMATION
Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the fix.

This fix corrects the vulnerability by restricting ViewCode.asp to viewing only files in the current directory. However, Web site operators who do not have a need to provide the file viewing capability may choose to remove all copies ViewCode.asp from the server altogether.

Environment in Which ViewCode.asp May Cause Security Risk
The security exposure is limited to the situation in which all of the following is true:
 * Servers that have the sample sites installed.
 * The sample sites are not protected by ACLs.
 * Sensitive data exists on the same logical drive as ViewCode.asp.
 * Files containing sensitive data allow the "Everyone" user group read or greater access in the ACL.
 * Malicious users know the path and filename of files that contain sensitive data.

Installing the Fix
The fix installation program, Update.exe, automatically replaces existing ViewCode.asp files.

NOTE: Common_viewcode.asp is used to replace the "common" ViewCode.asp file in the six directories listed below. PubSys_viewcode.asp is used to replace the existing ViewCode.asp in the Publishing sample (\Microsoft Site Server\SiteServer\Publishing).

Versions and Locations of ViewCode.asp
A complete installation of Site Server 3.0 will install various copies of ViewCode.asp in different directories. Therefore, if you to choose to remove it, perform a full-disk search to locate all copies.

The following six directories contain the same version of ViewCode.asp:
 * \Microsoft Site Server\Sites\Knowledge\Membership\Inspired
 * \Microsoft Site Server\Sites\Knowledge\Membership\Inspiredtutorial
 * \Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspired
 * \Microsoft Site Server\Sites\Samples\Knowledge\Membership\Inspiredtutorial
 * \Microsoft Site Server\Sites\Samples\Knowledge\Push
 * \Microsoft Site Server\Sites\Samples\Knowledge\Search

However, the Publishing sample (\Microsoft Site Server\SiteServer\Publishing) contains a different version of ViewCode.asp that is customized to work specifically with the Publishing samples, which allows the samples to work as properly, but prevents a malicious user from gaining access to files outside of the sample sites.

NOTE: ViewCode.asp should always have the ACL permissions set to Administrators only, or to a group that is limited to Web content developers.

Code Changes in the Fix
The issue is that ViewCode.asp uses "server.mappath" without any restrictions on what is passed to this function. Because ViewCode.asp allows a user to enter a path and filename, a malicious user could gain access to, and read (read-only), any known file on the same logical disk as ViewCode.asp that is not protected (no ACLs set for it).

The code added to the InitFileReading function in ViewCode.asp is as follows (these lines of code may wrap): 'Limit function to .asp and .vbo files in current and child directories If instr(1, strVirtualPath, "..", 1) <> 0 Then Response.Write(" The path to the requested file cannot be mapped.") fFileError = TRUE ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 Then Response.Write(" The path to the requested file cannot be mapped.") fFileError = TRUE ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/sites/knowledge/membership", 1) = 0 And instr(1, strVirtualPath, "/sites/samples/knowledge", 1) = 0 Then Response.Write(" The path to the requested file cannot be mapped.") fFileError = TRUE End If End If For the Publishing sample sites, a slightly different modification is required (these lines of code may wrap): 'Limit function to .asp, .vbo, .inc, .txt, and .prf files in current, cmsample, fpsample, and child directories If instr(1, strVirtualPath, "..", 1) <> 0 Then Response.Write(" The path to the requested file cannot be mapped.") fFileError = TRUE ElseIf instr(1, strVirtualPath, ".asp", 1) = 0 And instr(1, strVirtualPath, ".vbo", 1) = 0 And instr(1, strVirtualPath, ".inc", 1) = 0 And instr(1, strVirtualPath, ".txt", 1) = 0 And instr(1, strVirtualPath, ".prf", 1) = 0 Then Response.Write(" The path to the requested file cannot be mapped.<HR>") fFileError = TRUE ElseIf Left( strVirtualPath, 1) = "/" or Left( strVirtualPath, 1) = "\" Then If instr(1, strVirtualPath, "/siteserver/publishing", 1) = 0 And instr(1, strVirtualPath, "/cmsample", 1) = 0 And instr(1, strVirtualPath, "/fpsample", 1) = 0 Then Response.Write("<HR> The path to the requested file cannot be mapped.<HR>") fFileError = TRUE End If End If

Purpose of ViewCode.asp & Related MSDN Sample
The purpose of ViewCode.asp is to show the Web content developer the code that makes the sample sites work.

If you base your content on one of the sample sites, remove the buttons (links) that load the code into ViewCode.asp to display it.

About Installing Samples & Documentation on Production Servers
Most Site Server users do not install the sample sites on their production servers, just as they do not install the documentation. They are not typically needed on the production servers, as they use additional disk space, and because of the fact that they are just samples, they may not be secure as needed in a production environment.

If you have a need to include the samples on a production server, however, consider restricting access to them to your developers only.

Additional References
Please see the following reference for more information related to this issue:
 * Microsoft Security Bulletin MS99-013, "Patch Available for ViewCode.asp Vulnerability" (The Web-posted version of this bulletin), http://www.microsoft.com/technet/security/Bulletin/MS99-013.mspx.

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security.

Additional query words: patch hotfix hot fix qfe default setup set up viewcode utility hacker breach read see source

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe KB231656

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.