Article ID: 296096
Article Last Modified on 6/23/2005
APPLIES TO
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
- Microsoft Active Server Pages 4.0
This article was previously published under Q296096
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SYMPTOMS
When you explicitly request the Global.asa file (for example, when you request http://payroll/global.asa), the browser displays the source code for the Global.asa file instead of the expected HTTP 500-15 status code.
CAUSE
This behavior occurs after you remove the script mapping for the .asa file type and is by design. When application types are not mapped to a specific Internet Server Application Programming Interface (ISAPI) application (such as Asp.dll or Ssinc.dll), IIS returns the requested content to the browser with a Content-Type: application/octet-stream header. This header indicates that the browser should render the data as text, so the source code of the Global.asa file is displayed in the browser.
RESOLUTION
To prevent the display of source code for Global.asa files, add the application mapping (sometimes referred to as script mapping) for the .asa extension back to the Web application or applications that return source code. To do this, follow these steps:
- Click Start, click Run, type inetmgr, and then click OK to open the Internet Service Manager (ISM) Microsoft Management Console (MMC).
- Expand the nodes under Internet Information Server to display the Web application that is returning source code for the Global.asa file.
- Right-click the Web application, and then click Properties.
- On the Home Directory tab, click Configuration.
- On the App Mappings tab, click Add.
- Type the following information in the Add/Edit Application Extension Mapping dialog box that appears:
Executable: C:\WINNT\System32\inetsrv\asp.dll
Extension: .asa
Limit to: GET,HEAD,POST,TRACE
Script engine: checked
MORE INFORMATION
This problem is not unique to the .asa file type, and can occur for any script-mapped ISAPI application (including .asp file types). However, the effects may be less noticeable with other file types such as .asp because many browsers do not render content that is in the server-side script tags. The Global.asa file requires server-side script to be included in <SCRIPT> tags, which render in the browser. The following .asp code sample is likely to display only the word "World" in the browser, even though "<% Response.Write("Hello")%>" is visible when you view the source of the .asp document in the browser:
<% Response.Write("Hello") %> World
NOTE: If Application or Session variables are not initialized in a Web application, the .asa extension may not be properly mapped to Asp.dll. Without the application mapping, the Global.asa file does not execute when requests are made to the specified Web application.
Additional query words: scriptmap script-map appmap app-map
Keywords: kbprb kbpending KB296096