Click to return to the Server Technologies home page    
Web Workshop  |  Server Technologies

Viewable Script Logic Bug

Microsoft Corporation
April 2, 1997

If when using Internet Information Server (IIS), you place a period (".") in a browser's command line after any script-mapped file name, you receive unexpected results. The browser produces a document that contains the scripting information as well as other data in the file.

For example, if you enter: 

http://server_name/asp_directory/file.asp.

you receive something like: 

<% emailx=request.form("email")
   remarkx=request.form("remark") Set Conn =
   Server.CreateObject("ADODB.Connection") Conn.Open "Local SQL
   Server", "sa", "DTide" Set RS = Conn.Execute("insert into
   Web_data.dbo.ASP_data(email,remark) values('" & emailx &
   "','" & remarkx & "')") %>


   Your information has been added to our database.

The browser should return a confirmation Web page, without the script.

Cause

The problem affects any script-mapped files requested from a virtual directory that has both read and execute permissions set. Adding one or more extra periods onto the end of the URL causes the file to be displayed in the browser, instead of run on the server. This allows end users to see information that may be confidential, such as server-side script logic (for example, the discount applied to the retail price from a database). This problem affects any file in the script-map list, such as .asp, .ht., .id, .PL, and so forth.

This problem only occurs on virtual directories that have both read and execute access. If read is disabled, the server-side information is not viewable by the end user.

Resolution

To resolve this problem, do either of the following:


Back to topBack to top

Did you find this material useful? Gripes? Compliments? Suggestions for other articles? Write us!

© 1999 Microsoft Corporation. All rights reserved. Terms of use.