Microsoft KB Archive/906910

= The custom error page 500-100.asp may return sensitive information in Internet Information Services 5.0 and in Internet Information Services 5.1 =

Article ID: 906910

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



SYMPTOMS
In certain scenarios, the Microsoft Internet Information Services (IIS) custom error page 500-100.asp may return sensitive information back to a browser. This problem may occur only in Microsoft Internet Information Services 5.0 and in Microsoft Internet Information Services 5.1. Microsoft Internet Information Services 6.0 is not affected.

By sending a specially crafted request, you can bypass a verification step in the custom error page 500-100.asp. This page is only executed if an Active Server Pages (ASP) page that is present on the server that is running IIS contains a script error. The verification step makes sure that a detailed error message about this script error is only returned to the browser if the request is made from the Web server computer itself. In certain scenarios, this detailed error message may contain sensitive information about the configuration of the server that is running IIS.



RESOLUTION
To resolve this problem, use one of the following methods:  Remove the All Unassigned binding for each of your sites, and specify the host name that your site requires.  Update the 500-100.asp page. The 500-100.asp page is located under %windir%/iishelp/common. To update the 500-100.asp page, locate the following line of code. If (strServername = &quot;localhost&quot; Or strServerIP = strRemoteIP) And objASPError.File <> &quot;?&quot; Then Change this line of code to the following line of code. If (strServerIP = strRemoteIp) And objASPError.File <> &quot;?&quot; Then This update is the same for IIS 5.0 and for IIS 5.1. 

Keywords: kbprb KB906910

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.